Index: stable/9/contrib/bind9/CHANGES
===================================================================
--- stable/9/contrib/bind9/CHANGES	(revision 286123)
+++ stable/9/contrib/bind9/CHANGES	(revision 286124)
@@ -1,12464 +1,12475 @@
+	--- 9.9.7-P2 released ---
+
+4165.	[security]	A failure to reset a value to NULL in tkey.c could
+			result in an assertion failure. (CVE-2015-5477)
+			[RT #40046]
+
+	--- 9.9.7-P1 released ---
+
+4138.	[bug]		An uninitialized value in validator.c could result
+			in an assertion failure. (CVE-2015-4620) [RT #39795]
+
 	--- 9.9.7 released ---
 
 	--- 9.9.7rc2 released ---
 
 4061.	[bug]		Handle timeout in legacy system test. [RT #38573]
 
 4060.	[bug]		dns_rdata_freestruct could be called on a
 			uninitialised structure when handling a error.
 			[RT #38568]
 
 4059.	[bug]		Addressed valgrind warnings. [RT #38549]
 
 4058.	[bug]		UDP dispatches could use the wrong pseudorandom
 			number generator context. [RT #38578]
 
 4056.	[bug]		Fixed several small bugs in automatic trust anchor
 			management, including a memory leak and a possible
 			loss of key state information. [RT #38458]
 
 4057.	[bug]		'dnssec-dsfromkey -T 0' failed to add ttl field.
 			[RT #38565]
 
 4053.	[security]	Revoking a managed trust anchor and supplying
 			an untrusted replacement could cause named
 			to crash with an assertion failure.
 			(CVE-2015-1349) [RT #38344]
 
 4052.	[bug]		Fix a leak of query fetchlock. [RT #38454]
 
 4050.	[bug]		RPZ could send spurious SERVFAILs in response
 			to duplicate queries. [RT #38510]
 
 4049.	[bug]		CDS and CDNSKEY had the wrong attributes. [RT #38491]
 
 4048.	[bug]		adb hash table was not being grown. [RT #38470]
 
 	--- 9.9.7rc1 released ---
 
 4047.	[cleanup]	"named -V" now reports the current running versions
 			of OpenSSL and the libxml2 libraries, in addition to
 			the versions that were in use at build time.
 
 4046.	[bug]		Accounting of "total use" in memory context
 			statistics was not correct. [RT #38370]
 
 4045.	[bug]		Skip to next master on dns_request_createvia4 failure.
 			[RT #25185]
 
 4044.	[bug]		Change 3955 was not complete, resulting in an assertion
 			failure if the timing was just right. [RT #38352]
 
 4039.	[cleanup]	Cleaned up warnings from gcc -Wshadow. [RT #37381]
 
 4038.	[bug]		Add 'rpz' flag to node and use it to determine whether
 			to call dns_rpz_delete.  This should prevent unbalanced
 			add / delete calls. [RT #36888]
 
 4037.	[bug]		also-notify was ignoring the tsig key when checking
 			for duplicates resulting in some expected notify
 			messages not being sent. [RT #38369]
 
 4035.	[bug]		Close temporary and NZF FILE pointers before moving
 			the former into the latter's place, as required on
 			Windows. [RT #38332]
 
 4032.	[bug]		Built-in "empty" zones did not correctly inherit the
 			"allow-transfer" ACL from the options or view.
 			[RT #38310]
 
 4031.	[bug]		named-checkconf -z failed to report a missing file
 			with a hint zone. [RT #38294]
 
 4028.	[bug]		$GENERATE with a zero step was not being caught as a
 			error.  A $GENERATE with a / but no step was not being
 			caught as a error. [RT #38262]
 
 3973.	[test]		Added hooks for Google Performance Tools CPU profiler,
 			including real-time/wall-clock profiling. Use
 			"configure --with-gperftools-profiler" to enable.
 			[RT #37339]
 
 	--- 9.9.7b1 released ---
 
 4027.	[port]		Net::DNS 0.81 compatibility. [RT #38165]
 
 4026.	[bug]		Fix RFC 3658 reference in dig +sigchase. [RT #38173]
 
 4025.	[port]		bsdi: failed to build. [RT #38047]
 
 4024.	[bug]		dns_rdata_opt_first, dns_rdata_opt_next,
 			dns_rdata_opt_current, dns_rdata_txt_first,
 			dns_rdata_txt_next and dns_rdata_txt_current were
 			documented but not implemented.  These have now been
 			implemented.
 
 			dns_rdata_spf_first, dns_rdata_spf_next and
 			dns_rdata_spf_current were documented but not
 			implemented.  The prototypes for these
 			functions have been removed. [RT #38068]
 
 4023.	[bug]		win32: socket handling with explicit ports and
 			invoking named with -4 was broken for some
 			configurations. [RT #38068]
 
 4021.	[bug]		Adjust max-recursion-queries to accommodate
 			the need for more queries when the cache is
 			empty. [RT #38104]
 
 4020.	[bug]		Change 3736 broke nsupdate's SOA MNAME discovery
 			resulting in updates being sent to the wrong server.
 			[RT #37925]
 
 4019.	[func]		If named is not configured to validate the answer
 			then allow fallback to plain DNS on timeout even
 			when we know the server supports EDNS. [RT #37978]
 
 4018.	[bug]		Fall back to plain DNS when EDNS queries are being
 			dropped was failing. [RT #37965]
 
 4017.	[test]		Add system test to check lookups to legacy servers
 			with broken DNS behavior. [RT #37965]
 
 4016.	[bug]		Fix a dig segfault due to bad linked list usage.
 			[RT #37591]
 
 4015.	[bug]		Nameservers that are skipped due to them being
 			CNAMEs were not being logged. They are now logged
 			to category 'cname' as per BIND 8. [RT #37935]
 
 4014.	[bug]		When including a master file origin_changed was
 			not being properly set leading to a potentially
 			spurious 'inherited owner' warning. [RT #37919]
 
 4012.	[bug]		Check returned status of OpenSSL digest and HMAC
 			functions when they return one. Note this applies
 			only to FIPS capable OpenSSL libraries put in
 			FIPS mode and MD5. [RT #37944]
 
 4011.	[bug]		master's list port inheritance was not properly
 			implemented. [RT #37792]
 
 4007.	[doc]		Remove acl forward reference restriction. [RT #37772]
 
 4006.	[security]	A flaw in delegation handling could be exploited
 			to put named into an infinite loop.  This has
 			been addressed by placing limits on the number
 			of levels of recursion named will allow (default 7),
 			and the number of iterative queries that it will
 			send (default 50) before terminating a recursive
 			query (CVE-2014-8500).
 
 			The recursion depth limit is configured via the
 			"max-recursion-depth" option, and the query limit
 			via the "max-recursion-queries" option.  [RT #37580]
 
 4004.	[bug]		When delegations had AAAA glue but not A, a
 			reference could be leaked causing an assertion
 			failure on shutdown. [RT #37796]
 
 4000.	[bug]		NXDOMAIN redirection incorrectly handled NXRRSET
 			from the redirect zone. [RT #37722]
 
 3998.	[bug]		isc_radix_search was returning matches that were
 			too precise. [RT #37680]
 
 3997.	[protocol]	Add OPENGPGKEY record. [RT# 37671]
 
 3996.	[bug]		Address use after free on out of memory error in
 			keyring_add. [RT #37639]
 
 3995.	[bug]		receive_secure_serial holds the zone lock for too
 			long. [RT #37626]
 
 3990.	[testing]	Add tests for unknown DNSSEC algorithm handling.
 			[RT #37541]
 
 3989.	[cleanup]	Remove redundant dns_db_resigned calls. [RT #35748]
 
 3987.	[func]		Handle future Visual Studio 14 incompatible changes.
 			[RT #37380]
 
 3986.	[doc]		Add the BIND version number to page footers
 			in the ARM. [RT #37398]
 
 3985.	[doc]		Describe how +ndots and +search interact in dig.
 			[RT #37529]
 
 3982.	[doc]		Include release notes in product documentation.
 			[RT #37272]
 
 3981.	[bug]		Cache DS/NXDOMAIN independently of other query types.
 			[RT #37467]
 
 3978.	[test]		Added a unit test for Diffie-Hellman key
 			computation, completing change #3974. [RT #37477]
 
 3976.	[bug]		When refreshing managed-key trust anchors, clear
 			any cached trust so that they will always be
 			revalidated with the current set of secure
 			roots. [RT #37506]
 
 3974.	[bug]		Handle DH_compute_key() failure correctly in
 			openssldh_link.c. [RT #37477]
 
 3972.	[bug]		Fix host's usage statement. [RT #37397]
 
 3971.	[bug]		Reduce the cascading failures due to a bad $TTL line
 			in named-checkconf / named-checkzone. [RT #37138]
 
 3970.	[contrib]	Fixed a use after free bug in the SDB LDAP driver.
 			[RT #37237]
 
 3968.	[bug]		Silence spurious log messages when using 'named -[46]'.
 			[RT #37308]
 
 3967.	[test]		Add test for inlined signed zone in multiple views
 			with different DNSKEY sets. [RT #35759]
 
 3966.	[bug]		Missing dns_db_closeversion call in receive_secure_db.
 			[RT #35746]
 
 3962.	[bug]		'dig +topdown +trace +sigchase' address unhandled error
 			conditions. [RT #34663]
 
 3961.	[bug]		Forwarding of SIG(0) signed UPDATE messages failed with
 			BADSIG.  [RT #37216]
 
 3960.	[bug]		'dig +sigchase' could loop forever. [RT #37220]
 
 3959.	[bug]		Updates could be lost if they arrived immediately
 			after a rndc thaw. [RT #37233]
 
 3958.	[bug]		Detect when writeable files have multiple references
 			in named.conf. [RT #37172]
 
 3957.	[bug]		"dnssec-keygen -S" failed for ECCGOST, ECDSAP256SHA256
 			and ECDSAP384SHA384. [RT #37183]
 
 3955.	[bug]		Notify messages due to changes are no longer queued
 			behind startup notify messages. [RT #24454]
 
 3954.	[bug]		Unchecked mutex init in dlz_dlopen_driver.c [RT #37112]
 
 3953.	[bug]		Don't escape semi-colon in TXT fields. [RT #37159]
 
 3952.	[bug]		dns_name_fullcompare failed to set *nlabelsp when the
 			two name pointers were the same. [RT #37176]
 
 	--- 9.9.6 released ---
 
 3950.	[port]		Changed the bin/python Makefile to work around a
 			bmake bug in FreeBSD 10 and NetBSD 6. [RT #36993]
 
 	--- 9.9.6rc2 released ---
 
 3947.	[cleanup]	Set the executable bit on libraries when using
 			libtool. [RT #36786]
 
 3946.	[cleanup]	Improved "configure" search for a python interpreter.
 			[RT #36992]
 
 3945.	[bug]		Invalid wildcard expansions could be incorrectly
 			accepted by the validator. [RT #37093]
 
 3944.	[test]		Added a regression test for "server-id". [RT #37057]
 
 3942.	[bug]		Wildcard responses from a optout range should be
 			marked as insecure. [RT #37072]
 
 3941.	[doc]		Include the BIND version number in the ARM. [RT #37067]
 
 	--- 9.9.6rc1 released ---
 
 3933.	[bug]		Corrected the implementation of dns_rdata_casecompare()
 			for the HIP rdata type.  [RT #36911]
 
 3932.	[test]		Improved named-checkconf tests. [RT #36911]
 
 3931.	[cleanup]	Cleanup how dlz grammar is defined. [RT #36879]
 
 3929.	[bug]		'host -a' needed to clear idnoptions. [RT #36963]
 
 3928.	[test]		Improve rndc system test. [RT #36898]
 
 3925.	[bug]		DS lookup of RFC 1918 empty zones failed. [RT #36917]
 
 3924.	[bug]		Improve 'rndc addzone' error reporting. [RT #35187]
 
 3923.	[bug]		Sanity check the xml2-config output. [RT #22246]
 
 3922.	[bug]		When resigning, dnssec-signzone was removing
 			all signatures from delegation nodes. It now
 			retains DS and (if applicable) NSEC signatures.
 			[RT #36946]
 
 3921.	[bug]		AD was inappropriately set on RPZ responses. [RT #36833]
 
 3919.	[bug]		dig: continue to next line if a address lookup fails
 			in batch mode. [RT #36755]
 
 3918.	[doc]		Update check-spf documentation. [RT #36910]
 
 3917.	[bug]		dig, nslookup and host now continue on names that are
 			too long after applying a search list elements.
 			[RT #36892]
 
 3916.	[contrib]	zone2sqlite checked wrong result code.  Address
 			compiler warnings. [RT #36931]
 
 	--- 9.9.6b2 released ---
 
 3914.	[bug]		Allow the URI target and CAA value fields to
 			be zero length. [RT #36737]
 
 3913.	[bug]		Address race issue in dispatch. [RT #36731]
 
 3910.	[bug]		Fix races to free event during shutdown. [RT #36720]
 
 3909.	[bug]		When computing the number of elements required for a
 			acl count_acl_elements could have a short count leading
 			to a assertion failure.  Also zero out new acl elements
 			in dns_acl_merge.  [RT #36675]
 
 3908.	[bug]		rndc now differentiates between a zone in multiple
 			views and a zone that doesn't exist at all. [RT #36691]
 
 3907.	[cleanup]	Alphabetize rndc help. [RT #36683]
 
 3906.	[protocol]	Update URI record format to comply with
 			draft-faltstrom-uri-08. [RT #36642]
 
 3905.	[bug]		Address deadlock between view.c and adb.c. [RT #36341]
 
 3904.	[func]		Add the RPZ SOA to the additional section. [RT36507]
 
 3903.	[bug]		Improve the accuracy of DiG's reported round trip
 			time. [RT 36611]
 
 3902.	[bug]		liblwres wasn't handling link-local addresses in
 			nameserver clauses in resolv.conf. [RT #36039]
 
 3901.	[protocol]	Added support for CAA record type (RFC 6844).
 			[RT #36625]
 
 3900.	[bug]		Fix a crash in PostgreSQL DLZ driver. [RT #36637]
 
 3899.	[bug]		"request-ixfr" is only applicable to slave and redirect
 			zones. [RT #36608]
 
 3898.	[bug]		Too small a buffer in tohexstr() calls in test code.
 			[RT #36598]
 
 3894.	[bug]		Buffers in isc_print_vsnprintf were not properly
 			initialized leading to potential overflows when
 			printing out quad values. [RT #36505]
 
 3892.	[bug]		Setting '-t aaaa' in .digrc had unintended side
 			effects. [RT #36452]
 
 3891.	[bug]		Use ${INSTALL_SCRIPT} rather than ${INSTALL_PROGRAM}
 			to install python programs.
 
 3890.	[bug]		RRSIG sets that were not loaded in a single transaction
 			at start up where not being correctly added to
 			re-signing heaps.  [RT #36302]
 
 3889.	[port]		hurd: configure fixes as per:
 			https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=746540
 
 3887.	[cleanup]	Make all static symbols in rbtdb64 end in "64" so
 			they are easier to use in a debugger. [RT #36373]
 
 	--- 9.9.6b1 released ---
 
 3885.	[port]		Use 'open()' rather than 'file()' to open files in
 			python.
 
 3884.	[protocol]	Add CDS and CDNSKEY record types. [RT #36333]
 
 3881.	[bug]		Address memory leak with UPDATE error handling.
 			[RT #36303]
 
 3880.	[test]		Update ans.pl to work with new TSIG support in
 			Net::DNS; add additional Net::DNS version prerequisite
 			checks. [RT #36327]
 
 3879.	[func]		Add version printing option to various BIND utilities.
 			[RT #10686]
 
 3878.	[bug]		Using the incorrect filename for a DLZ module
 			caused a segmentation fault on startup. [RT #36286]
 
 3874.	[test]		Check that only "check-names master" is needed for
 			updates to be accepted.
 
 3873.	[protocol]	Only warn for SPF without TXT spf record. [RT #36210]
 
 3872.	[bug]		Address issues found by static analysis. [RT #36209]
 
 3871.	[bug]		Don't publish an activated key automatically before
 			its publish time. [RT #35063]
 
 3870.	[placeholder]
 
 3869.	[placeholder]
 
 3868.	[bug]		isc_mem_setwater incorrectly cleared hi_called
 			potentially leaving over memory cleaner running.
 			[RT #35270]
 
 3866.	[bug]		Named could die on disk full in generate_session_key.
 			[RT #36119]
 
 3864.	[bug]		RPZ didn't work well when being used as forwarder.
 			[RT #36060]
 
 3862.	[cleanup]	Return immediately if we are not going to log the
 			message in ns_client_dumpmessage.
 
 3861.	[bug]		Benign missing isc_buffer_availablelength check in
 			dns_message_pseudosectiontotext.  [RT #36078]
 
 3860.	[bug]		ioctl(DP_POLL) array size needs to be determined
 			at run time as it is limited to {OPEN_MAX}.
 			[RT #35878]
 
 3858.	[bug]		Disable GCC 4.9 "delete null pointer check".
 			[RT #35968]
 
 3857.	[bug]		Make it harder for a incorrect NOEDNS classification
 			to be made. [RT #36020]
 
 3855.	[bug]		Limit smoothed round trip time aging to no more than
 			once a second. [RT #32909]
 
 3854.	[cleanup]	Report unrecognized options, if any, in the final
 			configure summary. [RT #36014]
 
 3853.	[cleanup]	Refactor dns_rdataslab_fromrdataset to separate out
 			the handling of a rdataset with no records. [RT #35968]
 
 3849.	[doc]		Alphabetized dig's +options. [RT #35992]
 
 3847.	[bug]		'configure --with-dlz-postgres' failed to fail when
 			there is not support available.
 
 3846.	[bug]		"dig +notcp ixfr=<serial>" should result in a UDP
 			ixfr query. [RT #35980]
 
 3844.	[bug]		Use the x64 version of the Microsoft Visual C++
 			Redistributable when built for 64 bit Windows.
 			[RT #35973]
 
 3843.	[protocol]	Check EDNS EXPIRE option in dns_rdata_fromwire.
 			[RT #35969]
 
 3842.	[bug]		Adjust RRL log-only logging category. [RT #35945]
 
 3841.	[cleanup]	Refactor zone.c:add_opt to use dns_message_buildopt.
 			[RT #35924]
 
 3840.	[port]		Check for arc4random_addrandom() before using it;
 			it's been removed from OpenBSD 5.5. [RT #35907]
 
 3839.	[test]		Use only posix-compatible shell in system tests.
 			[RT #35625]
 
 3838.	[protocol]	EDNS EXPIRE as been assigned a code point of 9.
 
 3836.	[bug]		Address C++ keyword usage in header file.
 
 3834.	[bug]		The re-signing heaps were not being updated soon enough
 			leading to multiple re-generations of the same RRSIG
 			when a zone transfer was in progress. [RT #35273]
 
 3833.	[bug]		Cross compiling was broken due to calling genrandom at
 			build time. [RT #35869]
 
 3827.	[contrib]	The example DLZ driver (a version of which is
 			also used in the dlzexternal system test) could
 			use absolute names as relative. [RT #35802]
 
 3826.	[bug]		Corrected bad INSIST logic in isc_radix_remove().
 			[RT #35870]
 
 3825.	[bug]		Address sign extension bug in isc_regex_validate.
 			[RT #35758]
 
 3824.	[bug]		A collision between two flag values could cause
 			problems with cache cleaning. [RT #35858]
 
 3822.	[bug]		Log the correct type of static-stub zones when
 			removing them. [RT #35842]
 
 3819.	[bug]		NSEC3 hashes need to be able to be entered and
 			displayed without padding.  This is not a issue for
 			currently defined algorithms but may be for future
 			hash algorithms. [RT #27925]
 
 3818.	[bug]		Stop lying to the optimizer that 'void *arg' is a
 			constant in isc_event_allocate.
 
 3815.	[doc]		Clarify "nsupdate -y" usage in man page. [RT #35808]
 
 3809.	[doc]		Fix NSID documentation.
 
 3807.	[bug]		Fix sign extension bug in dns_name_fromtext when
 			lowercase is set. [RT #35743]
 
 3806.	[test]		Improved system test portability. [RT #35625]
 
 3805.	[contrib]	Added contrib/perftcpdns, a performance testing tool
 			for DNS over TCP. [RT #35710]
 
 3804.	[bug]		Corrected a race condition in dispatch.c in which
 			portentry could be reset leading to an assertion
 			failure in socket_search(). (Change #3708
 			addressed the same issue but was incomplete.)
 			[RT #35128]
 
 3803.	[bug]		"named-checkconf -z" incorrectly rejected zones
 			using alternate data sources for not having a "file"
 			option. [RT #35685]
 
 3802.	[bug]		Various header files were not being installed.
 
 3801.	[port]		Fix probing for gssapi support on FreeBSD. [RT #35615]
 
 3799.	[bug]		Improve named's command line error reporting.
 			[RT #35603]
 
 3796.	[bug]		Register dns error codes. [RT #35629]
 
 3795.	[bug]		Make named-checkconf detect raw masterfiles for
 			hint zones and reject them. [RT #35268]
 
 3794.	[maint]		Added AAAA for C.ROOT-SERVERS.NET.
 
 3793.	[bug]		zone.c:save_nsec3param() could assert when out of
 			memory. [RT #35621]
 
 3792.	[func]		Provide links to the alternate statistics views when
 			displaying in a browser.  [RT #35605]
 
 3791.	[bug]		solaris: remove extraneous return. [RT #35589]
 
 3787.	[bug]		The code that checks whether "auto-dnssec" is
 			allowed was ignoring "allow-update" ACLs set at
 			the options or view level. [RT #29536]
 
 3780.	[bug]		$GENERATE handled negative numbers incorrectly.
 			[RT #25528]
 
 3779.	[cleanup]	Clarify the error message when using an option
 			that was not enabled at compile time. [RT #35504]
 
 3778.	[bug]		Log a warning when the wrong address family is
 			used in "listen-on" or "listen-on-v6". [RT #17848]
 
 3775.	[bug]		dlz_dlopen driver could return the wrong error
 			code on API version mismatch, leading to a segfault.
 			[RT #35495]
 
 3773.	[func]		"host", "nslookup" and "nsupdate" now have
 			options to print the version number and exit.
 			[RT #26057]
 
 3770.	[bug]		"dig +trace" could fail with an assertion when it
 			needed to fall back to TCP due to a truncated
 			response. [RT #24660]
 
 3769.	[doc]		Improved documentation of "rndc signing -list".
 			[RT #30652]
 
 3768.	[bug]		"dnssec-checkds" was missing the SHA-384 digest
 			algorithm. [RT #34000]
 
 3767.	[func]		Log explicitly when using rndc.key to configure
 			command channel. [RT #35316]
 
 3765.	[bug]		Fixed a bug in "rndc secroots" that could crash
 			named when dumping an empty keynode. [RT #35469]
 
 3764.	[bug]		The dnssec-keygen/settime -S and -i options
 			(to set up a successor key and set the prepublication
 			interval) were missing from dnssec-keyfromlabel.
 			[RT #35394]
 
 3761.	[bug]		Address dangling reference bug in dns_keytable_add.
 			[RT #35471]
 
 3757.	[port]		Enable Python tools (dnssec-coverage,
 			dnssec-checkds) to run on Windows. [RT #34355]
 
 3756.	[bug]		GSSAPI Kerberos realm checking was broken in
 			check_config leading to spurious messages being
 			logged.  [RT #35443]
 
 3754.	[cleanup]	win32: Installer now places files in the
 			Program Files area rather than system services.
 			[RT #35361]
 
 3753.	[bug]		allow-notify was ignoring keys. [RT #35425]
 
 3751.	[tuning]	The default setting for the -U option (setting
 			the number of UDP listeners per interface) has
 			been adjusted to improve performance. [RT #35417]
 
 3747.	[bug]		A race condition could lead to a core dump when
 			destroying a resolver fetch object. [RT #35385]
 
 3743.	[bug]		delegation-only flag wasn't working in forward zone
 			declarations despite being documented.  This is
 			needed to support turning off forwarding and turning
 			on delegation only at the same name.  [RT #35392]
 
 3742.	[port]		linux: libcap support: declare curval at start of
 			block. [RT #35387]
 
 3740.	[contrib]	Minor fixes to configure --with-dlz-bdb,
 			--with-dlz-postgres and --with-dlz-odbc. [RT #35340]
 
 3737.	[bug]		'rndc retransfer' could trigger a assertion failure
 			with inline zones. [RT #35353]
 
 3736.	[bug]		nsupdate: When specifying a server by name,
 			fall back to alternate addresses if the first
 			address for that name is not reachable. [RT #25784]
 
 3734.	[bug]		Improve building with libtool. [RT #35314]
 
 3732.	[contrib]	Fixed a type mismatch causing the ODBC DLZ
 			driver to dump core on 64-bit systems. [RT #35324]
 
 3731.	[func]		Added a "no-case-compress" ACL, which causes
 			named to use case-insensitive compression
 			(disabling change #3645) for specified
 			clients. (This is useful when dealing
 			with broken client implementations that
 			use case-sensitive name comparisons,
 			rejecting responses that fail to match the
 			capitalization of the query that was sent.)
 			[RT #35300]
 
 3730.	[cleanup]	Added "never" as a synonym for "none" when
 			configuring key event dates in the dnssec tools.
 			[RT #35277]
 
 3729.	[bug]		dnssec-keygen could set the publication date
 			incorrectly when only the activation date was
 			specified on the command line. [RT #35278]
 
 3724.	[bug]		win32: Fixed a bug that prevented dig and
 			host from exiting properly after completing
 			a UDP query. [RT #35288]
 
 3720.	[bug]		Address compiler warnings. [RT #35261]
 
 3719.	[bug]		Address memory leak in in peer.c. [RT #35255]
 
 3718.	[bug]		A missing ISC_LINK_INIT in log.c. [RT #35260]
 
 3714.	[test]		System tests that need to test for cryptography
 			support before running can now use a common
 			"testcrypto.sh" script to do so. [RT #35213]
 
 3713.	[bug]		Save memory by not storing "also-notify" addresses
 			in zone objects that are configured not to send
 			notify requests. [RT #35195]
 
 	--- 9.9.5 released ---
 
 	--- 9.9.5rc2 released ---
 
 3710.	[bug]		Address double dns_zone_detach when switching to
 			using automatic empty zones from regular zones.
 			[RT #35177]
 
 3709.	[port]		Use built-in versions of strptime() and timegm()
 			on all platforms to avoid portability issues.
 			[RT #35183]
 
 3708.	[bug]		Address a portentry locking issue in dispatch.c.
 			[RT #35128]
 
 3707.	[bug]		irs_resconf_load now returns ISC_R_FILENOTFOUND
 			on a missing resolv.conf file and initializes the
 			structure as if it had been configured with:
 
 				nameserver ::1
 				nameserver 127.0.0.1
 
 			Note: Callers will need to be updated to treat
 			ISC_R_FILENOTFOUND as a qualified success or else
 			they will leak memory. The following code fragment
 			will work with both old and new versions without
 			changing the behaviour of the existing code.
 
 			resconf = NULL;
 			result = irs_resconf_load(mctx, "/etc/resolv.conf",
 						  &resconf);
 			if (result != ISC_SUCCESS) {
 				if (resconf != NULL)
 					irs_resconf_destroy(&resconf);
 				....
 			}
 
 			[RT #35194]
 
 3706.	[contrib]	queryperf: Fixed a possible integer overflow when
 			printing results. [RT #35182]
 
 3704.	[protocol]	Accept integer timestamps in RRSIG records. [RT #35185]
 
 	--- 9.9.5rc1 released ---
 
 3701.	[func]		named-checkconf can now obscure shared secrets
 			when printing by specifying '-x'. [RT #34465]
 
 3699.	[bug]		Improvements to statistics channel XSL stylesheet:
 			the stylesheet can now be cached by the browser;
 			section headers are omitted from the stats display
 			when there is no data in those sections to be
 			displayed; counters are now right-justified for
 			easier readability. (Only available with
 			configure --enable-newstats.) [RT #35117]
 
 3698.	[cleanup]	Replaced all uses of memcpy() with memmove().
 			[RT #35120]
 
 3697.	[bug]		Handle "." as a search list element when IDN support
 			is enabled. [RT #35133]
 
 3696.	[bug]		dig failed to handle AXFR style IXFR responses which
 			span multiple messages. [RT #35137]
 
 3695.	[bug]		Address a possible race in dispatch.c. [RT #35107]
 
 3694.	[bug]		Warn when a key-directory is configured for a zone,
 			but does not exist or is not a directory. [RT #35108]
 
 3693.	[security]	memcpy was incorrectly called with overlapping
 			ranges resulting in malformed names being generated
 			on some platforms.  This could cause INSIST failures
 			when serving NSEC3 signed zones (CVE-2014-0591).
 			[RT #35120]
 
 3692.	[bug]		Two calls to dns_db_getoriginnode were fatal if there
 			was no data at the node. [RT #35080]
 
 3690.	[bug]		Iterative responses could be missed when the source
 			port for an upstream query was the same as the
 			listener port (53). [RT #34925]
 
 3689.	[bug]		Fixed a bug causing an insecure delegation from one
 			static-stub zone to another to fail with a broken
 			trust chain. [RT #35081]
 
 	--- 9.9.5b1 released ---
 
 3688.	[bug]		loadnode could return a freed node on out of memory.
 			[RT #35106]
 
 3687.	[bug]		Address null pointer dereference in zone_xfrdone.
 			[RT #35042]
 
 3686.	[func]		"dnssec-signzone -Q" drops signatures from keys
 			that are still published but no longer active.
 			[RT #34990]
 
 3685.	[bug]		"rndc refresh" didn't work correctly with slave
 			zones using inline-signing. [RT #35105]
 
 3683.	[cleanup]	Add a more detailed "not found" message to rndc
 			commands which specify a zone name. [RT #35059]
 
 3682.	[bug]		Correct the behavior of rndc retransfer to allow
 			inline-signing slave zones to retain NSEC3 parameters
 			instead of reverting to NSEC. [RT #34745]
 
 3681.	[port]		Update the Windows build system to support feature
 			selection and WIN64 builds.  This is a work in
 			progress. [RT #34160]
 
 3679.	[bug]		dig could fail to clean up TCP sockets still
 			waiting on connect(). [RT #35074]
 
 3678.	[port]		Update config.guess and config.sub. [RT #35060]
 
 3677.	[bug]		'nsupdate' leaked memory if 'realm' was used multiple
 			times.  [RT #35073]
 
 3676.	[bug]		"named-checkconf -z" now checks zones of type
 			hint and redirect as well as master. [RT #35046]
 
 3675.	[misc]		Provide a place for third parties to add version
 			information for their extensions in the version
 			file by setting the EXTENSIONS variable.
 
 3674.	[bug]		RPZ zeroed ttls if the query type was '*'. [RT #35026]
 
 3672.	[func]		Local address can now be specified when using
 			dns_client API. [RT #34811]
 
 3671.	[bug]		Don't allow dnssec-importkey overwrite a existing
 			non-imported private key.
 
 3670.	[bug]		Address read after free in server side of
 			lwres_getrrsetbyname. [RT #29075]
 
 3669.	[port]		freebsd: --with-gssapi needs -lhx509. [RT #35001]
 
 3668.	[bug]		Fix cast in lex.c which could see 0xff treated as eof.
 			[RT #34993]
 
 3667.	[test]		dig: add support to keep the TCP socket open between
 			successive queries (+[no]keepopen).  [RT #34918]
 
 3665.	[bug]		Failure to release lock on error in receive_secure_db.
 			[RT #34944]
 
 3664.	[bug]		Updated OpenSSL PKCS#11 patches to fix active list
 			locking and other bugs. [RT #34855]
 
 3663.	[bug]		Address bugs in dns_rdata_fromstruct and
 			dns_rdata_tostruct for WKS and ISDN types. [RT #34910]
 
 3662.	[bug]		'host' could die if a UDP query timed out. [RT #34870]
 
 3661.	[bug]		Address lock order reversal deadlock with inline zones.
 			[RT #34856]
 
 3660.	[cleanup]	Changed the name of "isc-config.sh" to "bind9-config".
 			[RT #23825]
 
 3659.	[port]		solaris: don't add explicit dependencies/rules for
 			python programs as make won't use the implicit rules.
 			[RT #34835]
 
 3658.	[port]		linux: Address platform specific compilation issue
 			when libcap-devel is installed. [RT #34838]
 
 3657.	[port]		Some readline clones don't accept NULL pointers when
 			calling add_history. [RT #34842]
 
 3656.	[security]	Treat an all zero netmask as invalid when generating
 			the localnets acl. (The prior behavior could
 			allow unexpected matches when using some versions
 			of Winsock: CVE-2013-6320.) [RT #34687]
 
 3655.	[cleanup]	Simplify TCP message processing when requesting a
 			zone transfer.  [RT #34825]
 
 3654.	[bug]		Address race condition with manual notify requests.
 			[RT #34806]
 
 3653.	[func]		Create delegations for all "children" of empty zones
 			except "forward first". [RT #34826]
 
 3651.	[tuning]	Adjust when a master server is deemed unreachable.
 			[RT #27075]
 
 3650.	[tuning]	Use separate rate limiting queues for refresh and
 			notify requests. [RT #30589]
 
 3649.	[cleanup]	Include a comment in .nzf files, giving the name of
 			the associated view. [RT #34765]
 
 3648.	[test]		Updated the ATF test framework to version 0.17.
 			[RT #25627]
 
 3647.	[bug]		Address a race condition when shutting down a zone.
 			[RT #34750]
 
 3646.	[bug]		Journal filename string could be set incorrectly,
 			causing garbage in log messages. [RT #34738]
 
 3645.	[protocol]	Use case sensitive compression when responding to
 			queries. [RT #34737]
 
 3644.	[protocol]	Check that EDNS subnet client options are well formed.
 			[RT #34718]
 
 3642.	[func]		Allow externally generated DNSKEY to be imported
 			into the DNSKEY management framework.  A new tool
 			dnssec-importkey is used to do this. [RT #34698]
 
 3641.	[bug]		Handle changes to sig-validity-interval settings
 			better. [RT #34625]
 
 3640.	[bug]		ndots was not being checked when searching.  Only
 			continue searching on NXDOMAIN responses.  Add the
 			ability to specify ndots to nslookup. [RT #34711]
 
 3639.	[bug]		Treat type 65533 (KEYDATA) as opaque except when used
 			in a key zone. [RT #34238]
 
 	--- 9.9.4 released ---
 
 3643.	[doc]		Clarify RRL "slip" documentation.
 
 3638.	[cleanup]	Add the ability to handle ENOPROTOOPT in case it is
 			encountered. [RT #34668]
 
 	--- 9.9.4rc2 released ---
 
 3637.	[bug]		'allow-query-on' was checking the source address
 			rather than the destination address. [RT #34590]
 
 3636.	[bug]		Automatic empty zones now behave better with
 			forward only "zones" beneath them. [RT #34583]
 
 3635.	[bug]		Signatures were not being removed from a zone with
 			only KSK keys for a algorithm. [RT #34439]
 
 3634.	[func]		Report build-id in rndc status. Report build-id
 			when building from a git repository. [RT #20422]
 
 3633.	[cleanup]	Refactor OPT processing in named to make it easier
 			to support new EDNS options. [RT #34414]
 
 3632.	[bug]		Signature from newly inactive keys were not being
 			removed. [RT #32178]
 
 3631.	[bug]		Remove spurious warning about missing signatures when
 			qtype is SIG. [RT #34600]
 
 3630.	[bug]		Ensure correct ID computation for MD5 keys. [RT #33033]
 
 3627.	[bug]		RPZ changes were not effective on slaves. [RT #34450]
 
 3625.	[bug]		Don't send notify messages to machines outside of the
 			test setup.
 
 3623.	[bug]		zone-statistics was only effective in new statistics.
 			[RT #34466]
 
 	--- 9.9.4rc1 released ---
 
 3621.	[security]	Incorrect bounds checking on private type 'keydata'
 			can lead to a remotely triggerable REQUIRE failure
 			(CVE-2013-4854). [RT #34238]
 
 3617.	[bug]		Named was failing to answer queries during
 			"rndc reload" [RT #34098]
 
 3616.	[bug]		Change #3613 was incomplete. [RT #34177]
 
 3615.	[cleanup]	"configure" now finishes by printing a summary
 			of optional BIND features and whether they are
 			active or inactive. ("configure --enable-full-report"
 			increases the verbosity of the summary.) [RT #31777]
 
 3614.	[port]		Check for <linux/types.h>. [RT #34162]
 
 3613.	[bug]		named could crash when deleting inline-signing
 			zones with "rndc delzone". [RT #34066]
 
 3611.	[bug]		Improved resistance to a theoretical authentication
 			attack based on differential timing.  [RT #33939]
 
 3610.	[cleanup]	win32: Some executables had been omitted from the
 			installer. [RT #34116]
 
 3608.	[port]		win32: added todos.pl script to ensure all text files
 			the win32 build depends on are converted to DOS
 			newline format. [RT #22067]
 
 3607.	[bug]		dnssec-keygen had broken 'Invalid keyfile' error
 			message. [RT #34045]
 
 	--- 9.9.4b1 released ---
 
 3605.	[port]		win32: Addressed several compatibility issues
 			with newer versions of Visual Studio. [RT #33916]
 
 3603.	[bug]		Install <isc/stat.h>. [RT #33956]
 
 3601.	[bug]		Added to PKCS#11 openssl patches a value len
 			attribute in DH derive key. [RT #33928]
 
 3600.	[cleanup]	dig: Fixed a typo in the warning output when receiving
 			an oversized response. [RT #33910]
 
 3599.	[tuning]	Check for pointer equivalence in name comparisons.
 			[RT #18125]
 
 3596.	[port]		Updated win32 build documentation, added
 			dnssec-verify. [RT #22067]
 
 3594.	[maint]		Update config.guess and config.sub. [RT #33816]
 
 3592.	[doc]		Moved documentation of rndc command options to the
 			rndc man page. [RT #33506]
 
 3590.	[bug]		When using RRL on recursive servers, defer
 			rate-limiting until after recursion is complete;
 			also, use correct rcode for slipped NXDOMAIN
 			responses.  [RT #33604]
 
 3588.	[bug]		dig: addressed a memory leak in the sigchase code
 			that could cause a shutdown crash.  [RT #33733]
 
 3587.	[func]		'named -g' now checks the logging configuration but
 			does not use it. [RT #33473]
 
 3586.	[bug]		Handle errors in xmlDocDumpFormatMemoryEnc. [RT #33706]
 
 3584.	[security]	Caching data from an incompletely signed zone could
 			trigger an assertion failure in resolver.c
 			(CVE-2013-3919). [RT #33690]
 
 3583.	[bug]		Address memory leak in GSS-API processing [RT #33574]
 
 3582.	[bug]		Silence false positive warning regarding missing file
 			directive for inline slave zones.  [RT #33662]
 
 3581.	[bug]		Changed the tcp-listen-queue default to 10. [RT #33029]
 
 3580.	[bug]		Addressed a possible race in acache.c [RT #33602]
 
 3579.	[maint]		Updates to PKCS#11 openssl patches, supporting
 			versions 0.9.8y, 1.0.0k, 1.0.1e [RT #33463]
 
 3578.	[bug]		'rndc -c file' now fails if 'file' does not exist.
 			[RT #33571]
 
 3577.	[bug]		Handle zero TTL values better. [RT #33411]
 
 3576.	[bug]		Address a shutdown race when validating. [RT #33573]
 
 3575.	[func]		Changed the logging category for RRL events from
 			'queries' to 'query-errors'. [RT #33540]
 
 3574.	[doc]		The 'hostname' keyword was missing from server-id
 			description in the named.conf man page. [RT #33476]
 
 3573.	[bug]		"rndc addzone" and "rndc delzone" incorrectly handled
 			zone names containing punctuation marks and other
 			nonstandard characters. [RT #33419]
 
 3571.	[bug]		Address race condition in dns_client_startresolve().
 			[RT #33234]
 
 3566.	[func]		Log when forwarding updates to master. [RT #33240]
 
 3554.	[bug]		RRL failed to correctly rate-limit upward
 			referrals and failed to count dropped error
 			responses in the statistics. [RT #33225]
 
 3545.	[bug]		RRL slip behavior was incorrect when set to 1.
 			[RT #33111]
 
 3518.	[bug]		Increase the size of dns_rrl_key.s.rtype by one bit
 			so that all dns_rrl_rtype_t enum values fit regardless
 			of whether it is teated as signed or unsigned by
 			the compiler. [RT #32792]
 
 3494.	[func]		DNS RRL: Blunt the impact of DNS reflection and
 			amplification attacks by rate-limiting substantially-
 			identical responses. To enable, use "configure
 			--enable-rrl". [RT #28130]
 
 	--- 9.9.3 released ---
 
 3568.	[cleanup]	Add a product description line to the version file,
 			to be reported by named -v/-V. [RT #33366]
 
 3567.	[bug]		Silence clang static analyzer warnings. [RT #33365]
 
 3563.	[contrib]	zone2sqlite failed with some table names. [RT #33375]
 
 3561.	[bug]		dig: issue a warning if an EDNS query returns FORMERR
 			or NOTIMP.  Adjust usage message. [RT #33363]
 
 	--- 9.9.3rc2 released ---
 
 3560.	[bug]		isc-config.sh did not honor includedir and libdir
 			when set via configure. [RT #33345]
 
 3559.	[func]		Check that both forms of Sender Policy Framework
 			records exist or do not exist. [RT #33355]
 
 3558.	[bug]		IXFR of a DLZ stored zone was broken. [RT #33331]
 
 3557.	[bug]		Reloading redirect zones was broken. [RT #33292]
 
 3556.	[maint]		Added AAAA for D.ROOT-SERVERS.NET.
 
 3555.	[bug]		Address theoretical race conditions in acache.c
 			(change #3553 was incomplete). [RT #33252]
 
 3553.	[bug]		Address suspected double free in acache. [RT #33252]
 
 3552.	[bug]		Wrong getopt option string for 'nsupdate -r'.
 			[RT #33280]
 
 3549.	[doc]		Documentation for "request-nsid" was missing.
 			[RT #33153]
 
 3548.	[bug]		The NSID request code in resolver.c was broken
 			resulting in invalid EDNS options being sent.
 			[RT #33153]
 
 3547.	[bug]		Some malformed unknown rdata records were not properly
 			detected and rejected. [RT #33129]
 
 	--- 9.9.3rc1 released ---
 
 3546.	[func]		Add EUI48 and EUI64 types. [RT #33082]
 
 3544.	[contrib]	check5011.pl: Script to report the status of
 			managed keys as recorded in managed-keys.bind.
 			Contributed by Tony Finch <dot@dotat.at>
 
 3543.	[bug]		Update socket structure before attaching to socket
 			manager after accept. [RT #33084]
 
 3541.	[bug]		Parts of libdns were not properly initialized when
 			built in libexport mode. [RT #33028]
 
 3540.	[test]		libt_api: t_info and t_assert were not thread safe.
 
 3539.	[port]		win32: timestamp format didn't match other platforms.
 
 3538.	[test]		Running "make test" now requires loopback interfaces
 			to be set up. [RT #32452]
 
 3537.	[tuning]	Slave zones, when updated, now send NOTIFY messages
 			to peers before being dumped to disk rather than
 			after. [RT #27242]
 
 3535.	[bug]		Minor win32 cleanups. [RT #32962]
 
 3534.	[bug]		Extra text after an embedded NULL was ignored when
 			parsing zone files. [RT #32699]
 
 3533.	[contrib]	query-loc-0.4.0: memory leaks. [RT #32960]
 
 3532.	[contrib]	zkt: fixed buffer overrun, resource leaks. [RT #32960]
 
 3531.	[bug]		win32: A uninitialized value could be returned on out
 			of memory. [RT #32960]
 
 3530.	[contrib]	Better RTT tracking in queryperf. [RT #30128]
 
 3528.	[func]		New "dnssec-coverage" command scans the timing
 			metadata for a set of DNSSEC keys and reports if a
 			lapse in signing coverage has been scheduled
 			inadvertently. (Note: This tool depends on python;
 			it will not be built or installed on systems that
 			do not have a python interpreter.) [RT #28098]
 
 3527.	[compat]	Add a URI to allow applications to explicitly
 			request a particular XML schema from the statistics
 			channel, returning 404 if not supported. [RT #32481]
 
 3526.	[cleanup]	Set up dependencies for unit tests correctly during
 			build. [RT #32803]
 
 3521.	[bug]		Address memory leak in opensslecdsa_link.c. [RT #32249]
 
 3520.	[bug]		'mctx' was not being referenced counted in some places
 			where it should have been.  [RT #32794]
 
 	--- 9.9.3b2 released ---
 
 3517.	[bug]		Reorder destruction to avoid shutdown race. [RT #32777]
 
 3515.	[port]		'%T' is not portable in strftime(). [RT #32763]
 
 3514.	[bug]		The ranges for valid key sizes in ddns-confgen and
 			rndc-confgen were too constrained. Keys up to 512
 			bits are now allowed for most algorithms, and up
 			to 1024 bits for hmac-sha384 and hmac-sha512.
 			[RT #32753]
 
 3511.	[doc]		Improve documentation of redirect zones. [RT #32756]
 
 3509.	[cleanup]	Added a product line to version file to allow for
 			easy naming of different products (BIND
 			vs BIND ESV, for example). [RT #32755]
 
 3508.	[contrib]	queryperf was incorrectly rejecting the -T option.
 			[RT #32338]
 
 3507.	[bug]		Statistics channel XSL (when built with
 			--enable-newstats) had a glitch when attempting
 			to chart query data before any queries had been
 			received. [RT #32620]
 
 3505.	[bug]		When setting "max-cache-size" and "max-acache-size",
 			larger values than 4 gigabytes could not be set
 			explicitly, though larger sizes were available
 			when setting cache size to 0. This has been
 			corrected; the full range is now available.
 			[RT #32358]
 
 3503.	[doc]		Clarify size_spec syntax. [RT #32449]
 
 3501.	[func]		zone-statistics now takes three options: full,
 			terse, and none. "yes" and "no" are retained as
 			synonyms for full and terse, respectively. [RT #29165]
 
 3500.	[security]	Support NAPTR regular expression validation on
 			all platforms without using libregex, which
 			can be vulnerable to memory exhaustion attack
 			(CVE-2013-2266). [RT #32688]
 
 3499.	[doc]		Corrected ARM documentation of built-in zones.
 			[RT #32694]
 
 3498.	[bug]		zone statistics for zones which matched a potential
 			empty zone could have their zone-statistics setting
 			overridden.
 
 3496.	[func]		Improvements to RPZ performance. The "response-policy"
 			syntax now includes a "min-ns-dots" clause, with
 			default 1, to exclude top-level domains from
 			NSIP and NSDNAME checking. --enable-rpz-nsip and
 			--enable-rpz-nsdname are now the default. [RT #32251]
 
 3493.	[contrib]	Added BDBHPT dynamically-lodable DLZ module,
 			contributed by Mark Goldfinch. [RT #32549]
 
 3492.	[bug]		Fixed a regression in zone loading performance
 			due to lock contention. [RT #30399]
 
 3491.	[bug]		Slave zones using inline-signing must specify a
 			file name. [RT #31946]
 
 3489.	[bug]		--enable-developer now turns on ISC_LIST_CHECKINIT.
 			When cloning a rdataset do not copy the link contents.
 			[RT #32651]
 
 3488.	[bug]		Use after free error with DH generated keys. [RT #32649]
 
 3487.	[bug]		Change 3444 was not complete.  There was a additional
 			place where the NOQNAME proof needed to be saved.
 			[RT #32629]
 
 3486.	[bug]		named could crash when using TKEY-negotiated keys
 			that had been deleted and then recreated. [RT #32506]
 
 3485.	[cleanup]	Only compile openssl_gostlink.c if we support GOST.
 
 3483.	[bug]		Corrected XSL code in use with --enable-newstats.
 			[RT #32587]
 
 3481.	[cleanup]	Removed use of const const in atf.
 
 3480.	[bug]		Silence logging noise when setting up zone
 			statistics. [RT #32525]
 
 3479.	[bug]		Address potential memory leaks in gssapi support
 			code. [RT #32405]
 
 3478.	[port]		Fix a build failure in strict C99 environments
 			[RT #32475]
 
 3474.	[bug]		nsupdate could assert when the local and remote
 			address families didn't match. [RT #22897]
 
 3473.	[bug]		dnssec-signzone/verify could incorrectly report
 			an error condition due to an empty node above an
 			opt-out delegation lacking an NSEC3. [RT #32072]
 
 3471.	[bug]		The number of UDP dispatches now defaults to
 			the number of CPUs even if -n has been set to
 			a higher value. [RT #30964]
 
 3470.	[bug]		Slave zones could fail to dump when successfully
 			refreshing after an initial failure. [RT #31276]
 
 	--- 9.9.3b1 released ---
 
 3468.	[security]	RPZ rules to generate A records (but not AAAA records)
 			could trigger an assertion failure when used in
 			conjunction with DNS64 (CVE-2012-5689). [RT #32141]
 
 3467.	[bug]		Added checks in dnssec-keygen and dnssec-settime
 			to check for delete date < inactive date. [RT #31719]
 
 3466.	[contrib]	Corrected the DNS_CLIENTINFOMETHODS_VERSION check
 			in DLZ example driver. [RT #32275]
 
 3465.	[bug]		Handle isolated reserved ports. [RT #31778]
 
 3464.	[maint]		Updates to PKCS#11 openssl patches, supporting
 			versions 0.9.8x, 1.0.0j, 1.0.1c [RT #29749]
 
 3463.	[doc]		Clarify managed-keys syntax in ARM. [RT #32232]
 
 3462.	[doc]		Clarify server selection behavior of dig when using
 			-4 or -6 options. [RT #32181]
 
 3461.	[bug]		Negative responses could incorrectly have AD=1
 			set. [RT #32237]
 
 3460.	[bug]		Only link against readline where needed. [RT #29810]
 
 3458.	[bug]		Return FORMERR when presented with a overly long
 			domain named in a request. [RT #29682]
 
 3457.	[protocol]	Add ILNP records (NID, LP, L32, L64). [RT #31836]
 
 3456.	[port]		g++47: ATF failed to compile. [RT #32012]
 
 3455.	[contrib]	queryperf: fix getopt option list. [RT #32338]
 
 3454.	[port]		sparc64: improve atomic support. [RT #25182]
 
 3453.	[bug]		'rndc addzone' of a zone with 'inline-signing yes;'
 			failed. [RT #31960]
 
 3452.	[bug]		Accept duplicate singleton records. [RT #32329]
 
 3451.	[port]		Increase per thread stack size from 64K to 1M.
 			[RT #32230]
 
 3450.	[bug]		Stop logfileconfig system test spam system logs.
 			[RT #32315]
 
 3449.	[bug]		gen.c: use the pre-processor to construct format
 			strings so that compiler can perform sanity checks;
 			check the snprintf results. [RT #17576]
 
 3448.	[bug]		The allow-query-on ACL was not processed correctly.
 			[RT #29486]
 
 3447.	[port]		Add support for libxml2-2.9.x [RT #32231]
 
 3446.	[port]		win32: Add source ID (see change #3400) to build.
 			[RT #31683]
 
 3445.	[bug]		Warn about zone files with blank owner names
 			immediately after $ORIGIN directives. [RT #31848]
 
 3444.	[bug]		The NOQNAME proof was not being returned from cached
 			insecure responses. [RT #21409]
 
 3443.	[bug]		ddns-confgen: Some TSIG algorithms were incorrectly
 			rejected when generating keys. [RT #31927]
 
 3442.	[port]		Net::DNS 0.69 introduced a non backwards compatible
 			change. [RT #32216]
 
 3441.	[maint]		D.ROOT-SERVERS.NET is now 199.7.91.13.
 
 3440.	[bug]		Reorder get_key_struct to not trigger a assertion when
 			cleaning up due to out of memory error. [RT #32131]
 
 3439.	[bug]		contrib/dlz error checking fixes. [RT #32102]
 
 3438.	[bug]		Don't accept unknown data escape in quotes. [RT #32031]
 
 3437.	[bug]		isc_buffer_init -> isc_buffer_constinit to initialize
 			buffers with constant data. [RT #32064]
 
 3436.	[bug]		Check malloc/calloc return values. [RT #32088]
 
 3435.	[bug]		Cross compilation support in configure was broken.
 			[RT #32078]
 
 3431.	[bug]		ddns-confgen: Some valid key algorithms were
 			not accepted. [RT #31927]
 
 3430.	[bug]		win32: isc_time_formatISO8601 was missing the
 			'T' between the date and time. [RT #32044]
 
 3429.	[bug]		dns_zone_getserial2 could a return success without
 			returning a valid serial. [RT #32007]
 
 3428.	[cleanup]	dig: Add timezone to date output. [RT #2269]
 
 3427.	[bug]		dig +trace incorrectly displayed name server
 			addresses instead of names. [RT #31641]
 
 3426.	[bug]		dnssec-checkds: Clearer output when records are not
 			found. [RT #31968]
 
 3425.	[bug]		"acacheentry" reference counting was broken resulting
 			in use after free. [RT #31908]
 
 3424.	[func]		dnssec-dsfromkey now emits the hash without spaces.
 			[RT #31951]
 
 3423.	[bug]		"rndc signing -nsec3param" didn't accept the full
 			range of possible values.  Address portability issues.
 			[RT #31938]
 
 3422.	[bug]		Added a clear error message for when the SOA does not
 			match the referral. [RT #31281]
 
 3421.	[bug]		Named loops when re-signing if all keys are offline.
 			[RT #31916]
 
 3420.	[bug]		Address VPATH compilation issues. [RT #31879]
 
 3419.	[bug]		Memory leak on validation cancel. [RT #31869]
 
 3417.	[func]		Optional new XML schema (version 3.0) for the
 			statistics channel adds query type statistics at the
 			zone level, and flattens the XML tree and uses
 			compressed format to optimize parsing. Includes new XSL
 			that permits charting via the Google Charts API on
 			browsers that support javascript in XSL.  To enable,
 			build with "configure --enable-newstats". [RT #30023]
 
 3416.	[bug]		Named could die on shutdown if running with 128 UDP
 			dispatches per interface. [RT #31743]
 
 3415.	[bug]		named could die with a REQUIRE failure if a validation
 			was canceled. [RT #31804]
 
 3414.	[bug]		Address locking issues found by Coverity. [RT #31626]
 
 3412.	[bug]		Copy timeval structure from control message data.
 			[RT #31548]
 
 3411.	[tuning]	Use IPV6_USE_MIN_MTU or equivalent with TCP in addition
 			to UDP. [RT #31690]
 
 3410.	[bug]		Addressed Coverity warnings. [RT #31626]
 
 3409.	[contrib]	contrib/dane/mkdane.sh: Tool to generate TLSA RR's
 			from X.509 certificates, for use with DANE
 			(DNS-based Authentication of Named Entities).
 			[RT #30513]
 
 3408.	[bug]		Some DNSSEC-related options (update-check-ksk,
 			dnssec-loadkeys-interval, dnssec-dnskey-kskonly)
 			are now legal in slave zones as long as
 			inline-signing is in use. [RT #31078]
 
 3406.	[bug]		mem.c: Fix compilation errors when building with
 			ISC_MEM_TRACKLINES or ISC_MEMPOOL_NAMES disabled.
 			Also, ISC_MEM_DEBUG is no longer optional. [RT #31559]
 
 3405.	[bug]		Handle time going backwards in acache. [RT #31253]
 
 3404.	[bug]		dnssec-signzone: When re-signing a zone, remove
 			RRSIG and NSEC records from nodes that used to be
 			in-zone but are now below a zone cut. [RT #31556]
 
 3403.	[bug]		Silence noisy OpenSSL logging. [RT #31497]
 
 3402.	[test]		The IPv6 interface numbers used for system
 			tests were incorrect on some platforms. [RT #25085]
 
 3401.	[bug]		Addressed Coverity warnings. [RT #31484]
 
 3400.	[cleanup]	"named -V" can now report a source ID string, defined
 			in the "srcid" file in the build tree and normally set
 			to the most recent git hash.  [RT #31494]
 
 3399.	[port]		netbsd: rename 'bool' parameter to avoid namespace
 			clash.  [RT #31515]
 
 3398.	[bug]		SOA parameters were not being updated with inline
 			signed zones if the zone was modified while the
 			server was offline. [RT #29272]
 
 3397.	[bug]		dig crashed when using +nssearch with +tcp. [RT #25298]
 
 3396.	[bug]		OPT records were incorrectly removed from signed,
 			truncated responses. [RT #31439]
 
 3395.	[protocol]	Add RFC 6598 reverse zones to built in empty zones
 			list, 64.100.IN-ADDR.ARPA ... 127.100.IN-ADDR.ARPA.
 			[RT #31336]
 
 3394.	[bug]		Adjust 'successfully validated after lower casing
 			signer' log level and category. [RT #31414]
 
 3393.	[bug]		'host -C' could core dump if REFUSED was received.
 			[RT #31381]
 
 3391.	[bug]		A DNSKEY lookup that encountered a CNAME failed.
 			[RT #31262]
 
 3390.	[bug]		Silence clang compiler warnings. [RT #30417]
 
 3389.	[bug]		Always return NOERROR (not 0) in TSIG. [RT #31275]
 
 3388.	[bug]		Fixed several Coverity warnings.
 			Note: This change includes a fix for a bug that
 			was subsequently determined to be an exploitable
 			security vulnerability, CVE-2012-5688: named could
 			die on specific queries with dns64 enabled.
 			[RT #30996]
 
 3386.	[bug]		Address locking violation when generating new NSEC /
 			NSEC3 chains. [RT #31224]
 
 3385.	[bug]		named-checkconf didn't detect missing master lists
 			in also-notify clauses. [RT #30810]
 
 3384.	[bug]		Improved logging of crypto errors. [RT #30963]
 
 3382.	[bug]		SOA query from slave used use-v6-udp-ports range,
 			if set, regardless of the address family in use.
 			[RT #24173]
 
 3381.	[contrib]	Update queryperf to support more RR types.
 			[RT #30762]
 
 3380.	[bug]		named could die if a nonexistent master list was
 			referenced in a also-notify. [RT #31004]
 
 3379.	[bug]		isc_interval_zero and isc_time_epoch should be
 			"const (type)* const". [RT #31069]
 
 3378.	[bug]		Handle missing 'managed-keys-directory' better.
 			[RT #30625]
 
 3377.	[bug]		Removed spurious newline from NSEC3 multiline
 			output. [RT #31044]
 
 3376.	[bug]		Lack of EDNS support was being recorded without a
 			successful response. [RT #30811]
 
 3375.	[func]		Check that 'rndc dumpdb' works on a empty cache.
 			[RT #30808]
 
 3374.	[bug]		isc_parse_uint32 failed to return a range error on
 			systems with 64 bit longs. [RT #30232]
 
 3372.	[bug]		Silence spurious "deleted from unreachable cache"
 			messages.  [RT #30501]
 
 3371.	[bug]		AD=1 should behave like DO=1 when deciding whether to
 			add NS RRsets to the additional section or not.
 			[RT #30479]
 
 3316.	[tuning]	Improved locking performance when recursing.
 			[RT #28836]
 
 3315.	[tuning]	Use multiple dispatch objects for sending upstream
 			queries; this can improve performance on busy
 			multiprocessor systems by reducing lock contention.
 			[RT #28605]
 
 	--- 9.9.2 released ---
 
 3383.	[security]	A certain combination of records in the RBT could
 			cause named to hang while populating the additional
 			section of a response. [RT #31090]
 
 3373.	[bug]		win32: open raw files in binary mode. [RT #30944]
 
 3364.	[security]	Named could die on specially crafted record.
 			[RT #30416]
 
 	--- 9.9.2rc1 released ---
 
 3370.	[bug]		Address use after free while shutting down. [RT #30241]
 
 3369.	[bug]		nsupdate terminated unexpectedly in interactive mode
 			if built with readline support. [RT #29550]
 
 3368.	[bug]		<dns/iptable.h>, <dns/private.h> and <dns/zone.h>
 			were not C++ safe.
 
 3367.	[bug]		dns_dnsseckey_create() result was not being checked.
 			[RT #30685]
 
 3366.	[bug]		Fixed Read-After-Write dependency violation for IA64
 			atomic operations. [RT #25181]
 
 3365.	[bug]		Removed spurious newlines from log messages in
 			zone.c [RT #30675]
 
 3363.	[bug]		Need to allow "forward" and "fowarders" options
 			in static-stub zones; this had been overlooked.
 			[RT #30482]
 
 3362.	[bug]		Setting some option values to 0 in named.conf
 			could trigger an assertion failure on startup.
 			[RT #27730]
 
 3361.	[bug]		"rndc signing -nsec3param" didn't work correctly
 			when salt was set to '-' (no salt). [RT #30099]
 
 3360.	[bug]		'host -w' could die.  [RT #18723]
 
 3359.	[bug]		An improperly-formed TSIG secret could cause a
 			memory leak. [RT #30607]
 
 3357.	[port]		Add support for libxml2-2.8.x [RT #30440]
 
 3356.	[bug]		Cap the TTL of signed RRsets when RRSIGs are
 			approaching their expiry, so they don't remain
 			in caches after expiry. [RT #26429]
 
 3355.	[port]		Use more portable awk in verify system test.
 
 3354.	[func]		Improve OpenSSL error logging. [RT #29932]
 
 	--- 9.9.2b1 released ---
 
 3353.	[bug]		Use a single task for task exclusive operations.
 			[RT #29872]
 
 3352.	[bug]		Ensure that learned server attributes timeout of the
 			adb cache. [RT #29856]
 
 3351.	[bug]		isc_mem_put and isc_mem_putanddetach didn't report
 			caller if either ISC_MEM_DEBUGSIZE or ISC_MEM_DEBUGCTX
 			memory debugging flags are set. [RT #30243]
 
 3350.	[bug]		Memory read overrun in isc___mem_reallocate if
 			ISC_MEM_DEBUGCTX memory debugging flag is set.
 			[RT #30240]
 
 3349.	[bug]		Change #3345 was incomplete. [RT #30233]
 
 3348.	[bug]		Prevent RRSIG data from being cached if a negative
 			record matching the covering type exists at a higher
 			trust level. Such data already can't be retrieved from
 			the cache since change 3218 -- this prevents it
 			being inserted into the cache as well. [RT #26809]
 
 3347.	[bug]		dnssec-settime: Issue a warning when writing a new
 			private key file would cause a change in the
 			permissions of the existing file. [RT #27724]
 
 3346.	[security]	Bad-cache data could be used before it was
 			initialized, causing an assert. [RT #30025]
 
 3345.	[bug]		Addressed race condition when removing the last item
 			or inserting the first item in an ISC_QUEUE.
 			[RT #29539]
 
 3344.	[func]		New "dnssec-checkds" command checks a zone to
 			determine which DS records should be published
 			in the parent zone, or which DLV records should be
 			published in a DLV zone, and queries the DNS to
 			ensure that it exists. (Note: This tool depends
 			on python; it will not be built or installed on
 			systems that do not have a python interpreter.)
 			[RT #28099]
 
 3342.	[bug]		Change #3314 broke saving of stub zones to disk
 			resulting in excessive cpu usage in some cases.
 			[RT #29952]
 
 3341.	[func]		New "dnssec-verify" command checks a signed zone
 			to ensure correctness of signatures and of NSEC/NSEC3
 			chains. [RT #23673]
 
 3339.	[func]		Allow the maximum supported rsa exponent size to be
 			specified: "max-rsa-exponent-size <value>;" [RT #29228]
 
 3338.	[bug]		Address race condition in units tests: asyncload_zone
 			and asyncload_zt. [RT #26100]
 
 3337.	[bug]		Change #3294 broke support for the multiple keys
 			in controls. [RT #29694]
 
 3335.	[func]		nslookup: return a nonzero exit code when unable
 			to get an answer. [RT #29492]
 
 3334.	[bug]		Hold a zone table reference while performing a
 			asynchronous load of a zone. [RT #28326]
 
 3333.	[bug]		Setting resolver-query-timeout too low can cause
 			named to not recover if it loses connectivity.
 			[RT #29623]
 
 3332.	[bug]		Re-use cached DS rrsets if possible. [RT #29446]
 
 3331.	[security]	dns_rdataslab_fromrdataset could produce bad
 			rdataslabs. [RT #29644]
 
 3330.	[func]		Fix missing signatures on NOERROR results despite
 			RPZ rewriting.  Also
 			 - add optional "recursive-only yes|no" to the
 			   response-policy statement
 			 - add optional "max-policy-ttl" to the response-policy
 			    statement to limit the false data that
 			    "recursive-only no" can introduce into
 			    resolvers' caches
 			 - add a RPZ performance test to bin/tests/system/rpz
 			     when queryperf is available.
 			 - the encoding of PASSTHRU action to "rpz-passthru".
 			     (The old encoding is still accepted.)
 			[RT #26172]
 
 
 3329.	[bug]		Handle RRSIG signer-name case consistently: We
 			generate RRSIG records with the signer-name in
 			lower case.  We accept them with any case, but if
 			they fail to validate, we try again in lower case.
 			[RT #27451]
 
 3328.	[bug]		Fixed inconsistent data checking in dst_parse.c.
 			[RT #29401]
 
 3317.	[func]		Add ECDSA support (RFC 6605). [RT #21918]
 
 	--- 9.9.1 released ---
 
 3318.	[tuning]	Reduce the amount of work performed while holding a
 			bucket lock when finished with a fetch context.
 			[RT #29239]
 
 3314.	[bug]		The masters list could be updated while stub_callback
 			or refresh_callback were using it. [RT #26732]
 
 3313.	[protocol]	Add TLSA record type. [RT #28989]
 
 3312.	[bug]		named-checkconf didn't detect a bad dns64 clients acl.
 			[RT #27631]
 
 3311.	[bug]		Abort the zone dump if zone->db is NULL in
 			zone.c:zone_gotwritehandle. [RT #29028]
 
 3310.	[test]		Increase table size for mutex profiling. [RT #28809]
 
 3309.	[bug]		resolver.c:fctx_finddone() was not thread safe.
 			[RT #27995]
 
 3307.	[bug]		Add missing ISC_LANG_BEGINDECLS and ISC_LANG_ENDDECLS.
 			[RT #28956]
 
 3306.	[bug]		Improve DNS64 reverse zone performance. [RT #28563]
 
 3305.	[func]		Add wire format lookup method to sdb. [RT #28563]
 
 3304.	[bug]		Use hmctx, not mctx when freeing rbtdb->heaps.
 			[RT #28571]
 
 3303.	[bug]		named could die when reloading. [RT #28606]
 
 3302.	[bug]		dns_dnssec_findmatchingkeys could fail to find
 			keys if the zone name contained character that
 			required special mappings. [RT #28600]
 
 3301.	[contrib]	Update queryperf to build on darwin.  Add -R flag
 			for non-recursive queries. [RT #28565]
 
 3300.	[bug]		Named could die if gssapi was enabled in named.conf
 			but was not compiled in. [RT #28338]
 
 3299.	[bug]		Make SDB handle errors from database drivers better.
 			[RT #28534]
 
 3298.	[bug]		Named could dereference a NULL pointer in
 			zmgr_start_xfrin_ifquota if the zone was being removed.
 			[RT #28419]
 
 3297.	[bug]		Named could die on a malformed master file. [RT #28467]
 
 3296.	[bug]		Named could die with a INSIST failure in
 			client.c:exit_check. [RT #28346]
 
 3295.	[bug]		Adjust isc_time_secondsastimet range check to be more
 			portable. [RT # 26542]
 
 3294.	[bug]		isccc/cc.c:table_fromwire failed to free alist on
 			error. [RT #28265]
 
 3291.	[port]		Fixed a build error on systems without ENOTSUP.
 			[RT #28200]
 
 3290.	[bug]		<isc/hmacsha.h> was not being installed. [RT #28169]
 
 3273.	[bug]		AAAA responses could be returned in the additional
 			section even when filter-aaaa-on-v4 was in use.
 			[RT #27292]
 
 	--- 9.9.0 released ---
 
 	--- 9.9.0rc4 released ---
 
 3289.	[bug]		'rndc retransfer' failed for inline zones. [RT #28036]
 
 3288.	[bug]		dlz_destroy() function wasn't correctly registered
 			by the DLZ dlopen driver. [RT #28056]
 
 3287.	[port]		Update ans.pl to work with Net::DNS 0.68. [RT #28028]
 
 3286.	[bug]		Managed key maintenance timer could fail to start
 			after 'rndc reconfig'. [RT #26786]
 
 	--- 9.9.0rc3 released ---
 
 3285.	[bug]		val-frdataset was incorrectly disassociated in
 			proveunsecure after calling startfinddlvsep.
 			[RT #27928]
 
 3284.	[bug]		Address race conditions with the handling of
 			rbtnode.deadlink. [RT #27738]
 
 3283.	[bug]		Raw zones with with more than 512 records in a RRset
 			failed to load. [RT #27863]
 
 3282.	[bug]		Restrict the TTL of NS RRset to no more than that
 			of the old NS RRset when replacing it.
 			[RT #27792] [RT #27884]
 
 3281.	[bug]		SOA refresh queries could be treated as cancelled
 			despite succeeding over the loopback interface.
 			[RT #27782]
 
 3280.	[bug]		Potential double free of a rdataset on out of memory
 			with DNS64. [RT #27762]
 
 3279.	[bug]		Hold a internal reference to the zone while performing
 			a asynchronous load.  Address potential memory leak
 			if the asynchronous is cancelled. [RT #27750]
 
 3278.	[bug]		Make sure automatic key maintenance is started
 			when "auto-dnssec maintain" is turned on during
 			"rndc reconfig". [RT #26805]
 
 3277.	[bug]		win32: isc_socket_dup is not implemented. [RT #27696]
 
 3276.	[bug]		win32: ns_os_openfile failed to return NULL on
 			safe_open failure. [RT #27696]
 
 3275.	[bug]		Corrected rndc -h output; the 'rndc sync -clean'
 			option had been misspelled as '-clear'.  (To avoid
 			future confusion, both options now work.) [RT #27173]
 
 3271.	[port]		darwin: mksymtbl is not always stable, loop several
 			times before giving up.  mksymtbl was using non
 			portable perl to covert 64 bit hex strings. [RT #27653]
 
 	--- 9.9.0rc2 released ---
 
 3270.	[bug]		"rndc reload" didn't reuse existing zones correctly
 			when inline-signing was in use. [RT #27650]
 
 3269.	[port]		darwin 11 and later now built threaded by default.
 
 3268.	[bug]		Convert RRSIG expiry times to 64 timestamps to work
 			out the earliest expiry time. [RT #23311]
 
 3267.	[bug]		Memory allocation failures could be mis-reported as
 			unexpected error.  New ISC_R_UNSET result code.
 			[RT #27336]
 
 3266.	[bug]		The maximum number of NSEC3 iterations for a
 			DNSKEY RRset was not being properly computed.
 			[RT #26543]
 
 3265.	[bug]		Corrected a problem with lock ordering in the
 			inline-signing code. [RT #27557]
 
 3264.	[bug]		Automatic regeneration of signatures in an
 			inline-signing zone could stall when the server
 			was restarted. [RT #27344]
 
 3263.	[bug]		"rndc sync" did not affect the unsigned side of an
 			inline-signing zone. [RT #27337]
 
 3262.	[bug]		Signed responses were handled incorrectly by RPZ.
 			[RT #27316]
 
 3261.	[func]		RRset ordering now defaults to random. [RT #27174]
 
 3260.	[bug]		"rrset-order cyclic" could appear not to rotate
 			for some query patterns.  [RT #27170/27185]
 
 	--- 9.9.0rc1 released ---
 
 3259.	[bug]		named-compilezone: Suppress "dump zone to <file>"
 			message when writing to stdout. [RT #27109]
 
 3258.	[test]		Add "forcing full sign with unreadable keys" test.
 			[RT #27153]
 
 3257.	[bug]		Do not generate a error message when calling fsync()
 			in a pipe or socket. [RT #27109]
 
 3256.	[bug]		Disable empty zones for lwresd -C. [RT #27139]
 
 3255.	[func]		No longer require that a empty zones be explicitly
 			enabled or that a empty zone is disabled for
 			RFC 1918 empty zones to be configured. [RT #27139]
 
 3254.	[bug]		Set isc_socket_ipv6only() on the IPv6 control channels.
 			[RT #22249]
 
 3253.	[bug]		Return DNS_R_SYNTAX when the input to a text field is
 			too long. [RT #26956]
 
 3252.	[bug]		When master zones using inline-signing were
 			updated while the server was offline, the source
 			zone could fall out of sync with the signed
 			copy. They can now resynchronize. [RT #26676]
 
 3251.	[bug]		Enforce a upper bound (65535 bytes) on the amount of
 			memory dns_sdlz_putrr() can allocate per record to
 			prevent run away memory consumption on ISC_R_NOSPACE.
 			[RT #26956]
 
 3250.	[func]		'configure --enable-developer'; turn on various
 			configure options, normally off by default, that
 			we want developers to build and test with. [RT #27103]
 
 3249.	[bug]		Update log message when saving slave zones files for
 			analysis after load failures. [RT #27087]
 
 3248.	[bug]		Configure options --enable-fixed-rrset and
 			--enable-exportlib were incompatible with each
 			other. [RT #27087]
 
 3247.	[bug]		'raw' format zones failed to preserve load order
 			breaking 'fixed' sort order. [RT #27087]
 
 3246.	[bug]		Named failed to start with a empty also-notify list.
 			[RT #27087]
 
 3245.	[bug]		Don't report a error unchanged serials unless there
 			were other changes when thawing a zone with
 			ixfr-fromdifferences. [RT #26845]
 
 3244.	[func]		Added readline support to nslookup and nsupdate.
 			Also simplified nsupdate syntax to make "update"
 			and "prereq" optional. [RT #24659]
 
 3243.	[port]		freebsd,netbsd,bsdi: the thread defaults were not
 			being properly set.
 
 3242.	[func]		Extended the header of raw-format master files to
 			include the serial number of the zone from which
 			they were generated, if different (as in the case
 			of inline-signing zones).  This is to be used in
 			inline-signing zones, to track changes between the
 			unsigned and signed versions of the zone, which may
 			have different serial numbers.
 
 			(Note: raw zonefiles generated by this version of
 			BIND are no longer compatible with prior versions.
 			To generate a backward-compatible raw zonefile
 			using dnssec-signzone or named-compilezone, specify
 			output format "raw=0" instead of simply "raw".)
 			[RT #26587]
 
 3241.	[bug]		Address race conditions in the resolver code.
 			[RT #26889]
 
 3240.	[bug]		DNSKEY state change events could be missed. [RT #26874]
 
 3239.	[bug]		dns_dnssec_findmatchingkeys needs to use a consistent
 			timestamp. [RT #26883]
 
 3238.	[bug]		keyrdata was not being reinitialized in
 			lib/dns/rbtdb.c:iszonesecure. [RT #26913]
 
 3237.	[bug]		dig -6 didn't work with +trace. [RT #26906]
 
 3236.	[bug]		Backed out changes #3182 and #3202, related to
 			EDNS(0) fallback behavior. [RT #26416]
 
 3235.	[func]		dns_db_diffx, a extended dns_db_diff which returns
 			the generated diff and optionally writes it to a
 			journal. [RT #26386]
 
 3234.	[bug]		'make depend' produced invalid makefiles. [RT #26830]
 
 3233.	[bug]		'rndc freeze/thaw' didn't work for inline zones.
 			[RT #26632]
 
 3232.	[bug]		Zero zone->curmaster before return in
 			dns_zone_setmasterswithkeys(). [RT #26732]
 
 3231.	[bug]		named could fail to send a incompressible zone.
 			[RT #26796]
 
 3230.	[bug]		'dig axfr' failed to properly handle a multi-message
 			axfr with a serial of 0. [RT #26796]
 
 3229.	[bug]		Fix local variable to struct var assignment
 			found by CLANG warning.
 
 3228.	[tuning]	Dynamically grow symbol table to improve zone
 			loading performance. [RT #26523]
 
 3227.	[bug]		Interim fix to make WKS's use of getprotobyname()
 			and getservbyname() self thread safe. [RT #26232]
 
 3226.	[bug]		Address minor resource leakages. [RT #26624]
 
 3225.	[bug]		Silence spurious "setsockopt(517, IPV6_V6ONLY) failed"
 			messages. [RT #26507]
 
 3224.	[bug]		'rndc signing' argument parsing was broken. [RT #26684]
 
 3223.	[bug]		'task_test privilege_drop' generated false positives.
 			[RT #26766]
 
 3222.	[cleanup]	Replace dns_journal_{get,set}_bitws with
 			dns_journal_{get,set}_sourceserial. [RT #26634]
 
 3221.	[bug]		Fixed a potential core dump on shutdown due to
 			referencing fetch context after it's been freed.
 			[RT #26720]
 
 	--- 9.9.0b2 released ---
 
 3220.	[bug]		Change #3186 was incomplete; dns_db_rpz_findips()
 			could fail to set the database version correctly,
 			causing an assertion failure. [RT #26180]
 
 3219.	[bug]		Disable NOEDNS caching following a timeout.
 
 3218.	[security]	Cache lookup could return RRSIG data associated with
 			nonexistent records, leading to an assertion
 			failure. [RT #26590]
 
 3217.	[cleanup]	Fix build problem with --disable-static. [RT #26476]
 
 3216.	[bug]		resolver.c:validated() was not thread-safe. [RT #26478]
 
 3215.	[bug]		'rndc recursing' could cause a core dump. [RT #26495]
 
 3214.	[func]		Add 'named -U' option to set the number of UDP
 			listener threads per interface. [RT #26485]
 
 3213.	[doc]		Clarify ixfr-from-differences behavior. [RT #25188]
 
 3212.	[bug]		rbtdb.c: failed to remove a node from the deadnodes
 			list prior to adding a reference to it leading a
 			possible assertion failure. [RT #23219]
 
 3211.	[func]		dnssec-signzone: "-f -" prints to stdout; "-O full"
 			option prints in single-line-per-record format.
 			[RT #20287]
 
 3210.	[bug]		Canceling the oldest query due to recursive-client
 			overload could trigger an assertion failure. [RT #26463]
 
 3209.	[func]		Add "dnssec-lookaside 'no'".  [RT #24858]
 
 3208.	[bug]		'dig -y' handle unknown tsig algorithm better.
 			[RT #25522]
 
 3207.	[contrib]	Fixed build error in Berkeley DB DLZ module. [RT #26444]
 
 3206.	[cleanup]	Add ISC information to log at start time. [RT #25484]
 
 3205.	[func]		Upgrade dig's defaults to better reflect modern
 			nameserver behavior.  Enable "dig +adflag" and
 			"dig +edns=0" by default.  Enable "+dnssec" when
 			running "dig +trace". [RT #23497]
 
 3204.	[bug]		When a master server that has been marked as
 			unreachable sends a NOTIFY, mark it reachable
 			again. [RT #25960]
 
 3203.	[bug]		Increase log level to 'info' for validation failures
 			from expired or not-yet-valid RRSIGs. [RT #21796]
 
 3202.	[bug]		NOEDNS caching on timeout was too aggressive.
 			[RT #26416]
 
 3201.	[func]		'rndc querylog' can now be given an on/off parameter
 			instead of only being used as a toggle. [RT #18351]
 
 3200.	[doc]		Some rndc functions were undocumented or were
 			missing from 'rndc -h' output. [RT #25555]
 
 3199.	[func]		When logging client information, include the name
 			being queried. [RT #25944]
 
 3198.	[doc]		Clarified that dnssec-settime can alter keyfile
 			permissions. [RT #24866]
 
 3197.	[bug]		Don't try to log the filename and line number when
 			the config parser can't open a file. [RT #22263]
 
 3196.	[bug]		nsupdate: return nonzero exit code when target zone
 			doesn't exist. [RT #25783]
 
 3195.	[cleanup]	Silence "file not found" warnings when loading
 			managed-keys zone. [RT #26340]
 
 3194.	[doc]		Updated RFC references in the 'empty-zones-enable'
 			documentation. [RT #25203]
 
 3193.	[cleanup]	Changed MAXZONEKEYS to DNS_MAXZONEKEYS, moved to
 			dnssec.h. [RT #26415]
 
 3192.	[bug]		A query structure could be used after being freed.
 			[RT #22208]
 
 3191.	[bug]		Print NULL records using "unknown" format. [RT #26392]
 
 3190.	[bug]		Underflow in error handling in isc_mutexblock_init.
 			[RT #26397]
 
 3189.	[test]		Added a summary report after system tests. [RT #25517]
 
 3188.	[bug]		zone.c:zone_refreshkeys() could fail to detach
 			references correctly when errors occurred, causing
 			a hang on shutdown. [RT #26372]
 
 3187.	[port]		win32: support for Visual Studio 2008.  [RT #26356]
 
 	--- 9.9.0b1 released ---
 
 3186.	[bug]		Version/db mis-match in rpz code. [RT #26180]
 
 3185.	[func]		New 'rndc signing' option for auto-dnssec zones:
 			 - 'rndc signing -list' displays the current
 			   state of signing operations
 			 - 'rndc signing -clear' clears the signing state
 			   records for keys that have fully signed the zone
 			 - 'rndc signing -nsec3param' sets the NSEC3
 			   parameters for the zone
 			The 'rndc keydone' syntax is removed. [RT #23729]
 
 3184.	[bug]		named had excessive cpu usage when a redirect zone was
 			configured. [RT #26013]
 
 3183.	[bug]		Added RTLD_GLOBAL flag to dlopen call. [RT #26301]
 
 3182.	[bug]		Auth servers behind firewalls which block packets
 			greater than 512 bytes may cause other servers to
 			perform poorly. Now, adb retains edns information
 			and caches noedns servers. [RT #23392/24964]
 
 3181.	[func]		Inline-signing is now supported for master zones.
 			[RT #26224]
 
 3180.	[func]		Local copies of slave zones are now saved in raw
 			format by default, to improve startup performance.
 			'masterfile-format text;' can be used to override
 			the default, if desired. [RT #25867]
 
 3179.	[port]		kfreebsd: build issues. [RT #26273]
 
 3178.	[bug]		A race condition introduced by change #3163 could
 			cause an assertion failure on shutdown. [RT #26271]
 
 3177.	[func]		'rndc keydone', remove the indicator record that
 			named has finished signing the zone with the
 			corresponding key.  [RT #26206]
 
 3176.	[doc]		Corrected example code and added a README to the
 			sample external DLZ module in contrib/dlz/example.
 			[RT #26215]
 
 3175.	[bug]		Fix how DNSSEC positive wildcard responses from a
 			NSEC3 signed zone are validated.  Stop sending a
 			unnecessary NSEC3 record when generating such
 			responses. [RT #26200]
 
 3174.	[bug]		Always compute to revoked key tag from scratch.
 			[RT #26186]
 
 3173.	[port]		Correctly validate root DS responses. [RT #25726]
 
 3172.	[port]		darwin 10.* and freebsd [89] are now built threaded by
 			default.
 
 3171.	[bug]		Exclusively lock the task when adding a zone using
 			'rndc addzone'.  [RT #25600]
 
 	--- 9.9.0a3 released ---
 
 3170.	[func]		RPZ update:
 			- fix precedence among competing rules
 			- improve ARM text including documenting rule precedence
 			- try to rewrite CNAME chains until first hit
 			- new "rpz" logging channel
 			- RDATA for CNAME rules can include wildcards
 			- replace "NO-OP" named.conf policy override with
 			  "PASSTHRU" and add "DISABLED" override ("NO-OP"
 			  is still recognized)
 			[RT #25172]
 
 3169.	[func]		Catch db/version mis-matches when calling dns_db_*().
 			[RT #26017]
 
 3168.	[bug]		Nxdomain redirection could trigger an assert with
 			a ANY query. [RT #26017]
 
 3167.	[bug]		Negative answers from forwarders were not being
 			correctly tagged making them appear to not be cached.
 			[RT #25380]
 
 3166.	[bug]		Upgrading a zone to support inline-signing failed.
 			[RT #26014]
 
 3165.	[bug]		dnssec-signzone could generate new signatures when
 			resigning, even when valid signatures were already
 			present. [RT #26025]
 
 3164.	[func]		Enable DLZ modules to retrieve client information,
 			so that responses can be changed depending on the
 			source address of the query. [RT #25768]
 
 3163.	[bug]		Use finer-grained locking in client.c to address
 			concurrency problems with large numbers of threads.
 			[RT #26044]
 
 3162.	[test]		start.pl: modified to allow for "named.args" in
 			ns*/ subdirectory to override stock arguments to
 			named. Largely from RT #26044, but no separate ticket.
 
 3161.	[bug]		zone.c:del_sigs failed to always reset rdata leading
 			assertion failures. [RT #25880]
 
 3160.	[bug]		When printing out a NSEC3 record in multiline form
 			the newline was not being printed causing type codes
 			to be run together. [RT #25873]
 
 3159.	[bug]		On some platforms, named could assert on startup
 			when running in a chrooted environment without
 			/proc. [RT #25863]
 
 3158.	[bug]		Recursive servers would prefer a particular UDP
 			socket instead of using all available sockets.
 			[RT #26038]
 
 3157.	[tuning]	Reduce the time spent in "rndc reconfig" by parsing
 			the config file before pausing the server. [RT #21373]
 
 3156.	[placeholder]
 
 	--- 9.9.0a2 released ---
 
 3155.	[bug]		Fixed a build failure when using contrib DLZ
 			drivers (e.g., mysql, postgresql, etc). [RT #25710]
 
 3154.	[bug]		Attempting to print an empty rdataset could trigger
 			an assert. [RT #25452]
 
 3153.	[func]		Extend request-ixfr to zone level and remove the
 			side effect of forcing an AXFR. [RT #25156]
 
 3152.	[cleanup]	Some versions of gcc and clang failed due to
 			incorrect use of __builtin_expect. [RT #25183]
 
 3151.	[bug]		Queries for type RRSIG or SIG could be handled
 			incorrectly.  [RT #21050]
 
 3150.	[func]		Improved startup and reconfiguration time by
 			enabling zones to load in multiple threads. [RT #25333]
 
 3149.	[placeholder]
 
 3148.	[bug]		Processing of normal queries could be stalled when
 			forwarding a UPDATE message. [RT #24711]
 
 3147.	[func]		Initial inline signing support.  [RT #23657]
 
 	--- 9.9.0a1 released ---
 
 3146.	[test]		Fixed gcc4.6.0 errors in ATF. [RT #25598]
 
 3145.	[test]		Capture output of ATF unit tests in "./atf.out" if
 			there were any errors while running them. [RT #25527]
 
 3144.	[bug]		dns_dbiterator_seek() could trigger an assert when
 			used with a nonexistent database node. [RT #25358]
 
 3143.	[bug]		Silence clang compiler warnings. [RT #25174]
 
 3142.	[bug]		NAPTR is class agnostic. [RT #25429]
 
 3141.	[bug]		Silence spurious "zone serial (0) unchanged" messages
 			associated with empty zones. [RT #25079]
 
 3140.	[func]		New command "rndc flushtree <name>" clears the
 			specified name from the server cache along with
 			all names under it. [RT #19970]
 
 3139.	[test]		Added tests from RFC 6234, RFC 2202, and RFC 1321
 			for the hashing algorithms (md5, sha1 - sha512, and
 			their hmac counterparts).  [RT #25067]
 
 3138.	[bug]		Address memory leaks and out-of-order operations when
 			shutting named down. [RT #25210]
 
 3137.	[func]		Improve hardware scalability by allowing multiple
 			worker threads to process incoming UDP packets.
 			This can significantly increase query throughput
 			on some systems.  [RT #22992]
 
 3136.	[func]		Add RFC 1918 reverse zones to the list of built-in
 			empty zones switched on by the 'empty-zones-enable'
 			option. [RT #24990]
 
 3135.	[port]		FreeBSD: workaround broken IPV6_USE_MIN_MTU processing.
 			See http://www.freebsd.org/cgi/query-pr.cgi?pr=158307
 			[RT #24950]
 
 3134.	[bug]		Improve the accuracy of dnssec-signzone's signing
 			statistics. [RT #16030]
 
 3133.	[bug]		Change #3114 was incomplete. [RT #24577]
 
 3132.	[placeholder]
 
 3131.	[tuning]	Improve scalability by allocating one zone task
 			per 100 zones at startup time, rather than using a
 			fixed-size task table. [RT #24406]
 
 3130.	[func]		Support alternate methods for managing a dynamic
 			zone's serial number.  Two methods are currently
 			defined using serial-update-method, "increment"
 			(default) and "unixtime".  [RT #23849]
 
 3129.	[bug]		Named could crash on 'rndc reconfig' when
 			allow-new-zones was set to yes and named ACLs
 			were used. [RT #22739]
 
 3128.	[func]		Inserting an NSEC3PARAM via dynamic update in an
 			auto-dnssec zone that has not been signed yet
 			will cause it to be signed with the specified NSEC3
 			parameters when keys are activated.  The
 			NSEC3PARAM record will not appear in the zone until
 			it is signed, but the parameters will be stored.
 			[RT #23684]
 
 3127.	[bug]		'rndc thaw' will now remove a zone's journal file
 			if the zone serial number has been changed and
 			ixfr-from-differences is not in use.  [RT #24687]
 
 3126.	[security]	Using DNAME record to generate replacements caused
 			RPZ to exit with a assertion failure. [RT #24766]
 
 3125.	[security]	Using wildcard CNAME records as a replacement with
 			RPZ caused named to exit with a assertion failure.
 			[RT #24715]
 
 3124.	[bug]		Use an rdataset attribute flag to indicate
 			negative-cache records rather than using rrtype 0;
 			this will prevent problems when that rrtype is
 			used in actual DNS packets. [RT #24777]
 
 3123.	[security]	Change #2912 exposed a latent flaw in
 			dns_rdataset_totext() that could cause named to
 			crash with an assertion failure. [RT #24777]
 
 3122.	[cleanup]	dnssec-settime: corrected usage message. [RT #24664]
 
 3121.	[security]	An authoritative name server sending a negative
 			response containing a very large RRset could
 			trigger an off-by-one error in the ncache code
 			and crash named. [RT #24650]
 
 3120.	[bug]		Named could fail to validate zones listed in a DLV
 			that validated insecure without using DLV and had
 			DS records in the parent zone. [RT #24631]
 
 3119.	[bug]		When rolling to a new DNSSEC key, a private-type
 			record could be created and never marked complete.
 			[RT #23253]
 
 3118.	[bug]		nsupdate could dump core on shutdown when using
 			SIG(0) keys. [RT #24604]
 
 3117.	[cleanup]	Remove doc and parser references to the
 			never-implemented 'auto-dnssec create' option.
 			[RT #24533]
 
 3116.	[func]		New 'dnssec-update-mode' option controls updates
 			of DNSSEC records in signed dynamic zones.  Set to
 			'no-resign' to disable automatic RRSIG regeneration
 			while retaining the ability to sign new or changed
 			data. [RT #24533]
 
 3115.	[bug]		Named could fail to return requested data when
 			following a CNAME that points into the same zone.
 			[RT #24455]
 
 3114.	[bug]		Retain expired RRSIGs in dynamic zones if key is
 			inactive and there is no replacement key. [RT #23136]
 
 3113.	[doc]		Document the relationship between serial-query-rate
 			and NOTIFY messages.
 
 3112.	[doc]		Add missing descriptions of the update policy name
 			types "ms-self", "ms-subdomain", "krb5-self" and
 			"krb5-subdomain", which allow machines to update
 			their own records, to the BIND 9 ARM.
 
 3111.	[bug]		Improved consistency checks for dnssec-enable and
 			dnssec-validation, added test cases to the
 			checkconf system test. [RT #24398]
 
 3110.	[bug]		dnssec-signzone: Wrong error message could appear
 			when attempting to sign with no KSK. [RT #24369]
 
 3109.	[func]		The also-notify option now uses the same syntax
 			as a zone's masters clause.  This means it is
 			now possible to specify a TSIG key to use when
 			sending notifies to a given server, or to include
 			an explicit named masters list in an also-notfiy
 			statement.  [RT #23508]
 
 3108.	[cleanup]	dnssec-signzone: Clarified some error and
 			warning messages; removed #ifdef ALLOW_KSKLESS_ZONES
 			code (use -P instead). [RT #20852]
 
 3107.	[bug]		dnssec-signzone: Report the correct number of ZSKs
 			when using -x. [RT #20852]
 
 3106.	[func]		When logging client requests, include the name of
 			the TSIG key if any. [RT #23619]
 
 3105.	[bug]		GOST support can be suppressed by "configure
 			--without-gost" [RT #24367]
 
 3104.	[bug]		Better support for cross-compiling. [RT #24367]
 
 3103.	[bug]		Configuring 'dnssec-validation auto' in a view
 			instead of in the options statement could trigger
 			an assertion failure in named-checkconf. [RT #24382]
 
 3102.	[func]		New 'dnssec-loadkeys-interval' option configures
 			how often, in minutes, to check the key repository
 			for updates when using automatic key maintenance.
 			Default is every 60 minutes (formerly hard-coded
 			to 12 hours). [RT #23744]
 
 3101.	[bug]		Zones using automatic key maintenance could fail
 			to check the key repository for updates. [RT #23744]
 
 3100.	[security]	Certain response policy zone configurations could
 			trigger an INSIST when receiving a query of type
 			RRSIG. [RT #24280]
 
 3099.	[test]		"dlz" system test now runs but gives R:SKIPPED if
 			not compiled with --with-dlz-filesystem.  [RT #24146]
 
 3098.	[bug]		DLZ zones were answering without setting the AA bit.
 			[RT #24146]
 
 3097.	[test]		Add a tool to test handling of malformed packets.
 			[RT #24096]
 
 3096.	[bug]		Set KRB5_KTNAME before calling log_cred() in
 			dst_gssapi_acceptctx(). [RT #24004]
 
 3095.	[bug]		Handle isolated reserved ports in the port range.
 			[RT #23957]
 
 3094.	[doc]		Expand dns64 documentation.
 
 3093.	[bug]		Fix gssapi/kerberos dependencies [RT #23836]
 
 3092.	[bug]		Signatures for records at the zone apex could go
 			stale due to an incorrect timer setting. [RT #23769]
 
 3091.	[bug]		Fixed a bug in which zone keys that were published
 			and then subsequently activated could fail to trigger
 			automatic signing. [RT #22911]
 
 3090.	[func]		Make --with-gssapi default [RT #23738]
 
 3089.	[func]		dnssec-dsfromkey now supports reading keys from
 			standard input "dnssec-dsfromkey -f -". [RT #20662]
 
 3088.	[bug]		Remove bin/tests/system/logfileconfig/ns1/named.conf
 			and add setup.sh in order to resolve changing
 			named.conf issue.  [RT #23687]
 
 3087.	[bug]		DDNS updates using SIG(0) with update-policy match
 			type "external" could cause a crash. [RT #23735]
 
 3086.	[bug]		Running dnssec-settime -f on an old-style key will
 			now force an update to the new key format even if no
 			other change has been specified, using "-P now -A now"
 			as default values.  [RT #22474]
 
 3085.	[func]		New '-R' option in dnssec-signzone forces removal
 			of signatures which have not yet expired but
 			were generated by a key that no longer exists.
 			[RT #22471]
 
 3084.	[func]		A new command "rndc sync" dumps pending changes in
 			a dynamic zone to disk; "rndc sync -clean" also
 			removes the journal file after syncing.  Also,
 			"rndc freeze" no longer removes journal files.
 			[RT #22473]
 
 3083.	[bug]		NOTIFY messages were not being sent when generating
 			a NSEC3 chain incrementally. [RT #23702]
 
 3082.	[port]		strtok_r is threads only. [RT #23747]
 
 3081.	[bug]		Failure of DNAME substitution did not return
 			YXDOMAIN. [RT #23591]
 
 3080.	[cleanup]	Replaced compile time constant by STDTIME_ON_32BITS.
 			[RT #23587]
 
 3079.	[bug]		Handle isc_event_allocate failures in t_tasks.
 			[RT #23572]
 
 3078.	[func]		Added a new include file with function typedefs
 			for the DLZ "dlopen" driver. [RT #23629]
 
 3077.	[bug]		zone.c:zone_refreshkeys() incorrectly called
 			dns_zone_attach(), use zone->irefs instead. [RT #23303]
 
 3076.	[func]		New '-L' option in dnssec-keygen, dnsset-settime, and
 			dnssec-keyfromlabel sets the default TTL of the
 			key.  When possible, automatic signing will use that
 			TTL when the key is published.  [RT #23304]
 
 3075.	[bug]		dns_dnssec_findzonekeys{2} used a inconsistent
 			timestamp when determining which keys are active.
 			[RT #23642]
 
 3074.	[bug]		Make the adb cache read through for zone data and
 			glue learn for zone named is authoritative for.
 			[RT #22842]
 
 3073.	[bug]		managed-keys changes were not properly being recorded.
 			[RT #20256]
 
 3072.	[bug]		dns_dns64_aaaaok() potential NULL pointer dereference.
 			[RT #20256]
 
 3071.	[bug]		has_nsec could be used uninitialized in
 			update.c:next_active. [RT #20256]
 
 3070.	[bug]		dnssec-signzone potential NULL pointer dereference.
 			[RT #20256]
 
 3069.	[cleanup]	Silence warnings messages from clang static analysis.
 			[RT #20256]
 
 3068.	[bug]		Named failed to build with a OpenSSL without engine
 			support. [RT #23473]
 
 3067.	[bug]		ixfr-from-differences {master|slave}; failed to
 			select the master/slave zones.  [RT #23580]
 
 3066.	[func]		The DLZ "dlopen" driver is now built by default,
 			no longer requiring a configure option.  To
 			disable it, use "configure --without-dlopen".
 			Driver also supported on win32.  [RT #23467]
 
 3065.	[bug]		RRSIG could have time stamps too far in the future.
 			[RT #23356]
 
 3064.	[bug]		powerpc: add sync instructions to the end of atomic
 			operations. [RT #23469]
 
 3063.	[contrib]	More verbose error reporting from DLZ LDAP. [RT #23402]
 
 3062.	[func]		Made several changes to enhance human readability
 			of DNSSEC data in dig output and in generated
 			zone files:
 			 - DNSKEY record comments are more verbose, no
 			   longer used in multiline mode only
 			 - multiline RRSIG records reformatted
 			 - multiline output mode for NSEC3PARAM records
 			 - "dig +norrcomments" suppresses DNSKEY comments
 			 - "dig +split=X" breaks hex/base64 records into
 			   fields of width X; "dig +nosplit" disables this.
 			[RT #22820]
 
 3061.	[func]		New option "dnssec-signzone -D", only write out
 			generated DNSSEC records. [RT #22896]
 
 3060.	[func]		New option "dnssec-signzone -X <date>" allows
 			specification of a separate expiration date
 			for DNSKEY RRSIGs and other RRSIGs. [RT #22141]
 
 3059.	[test]		Added a regression test for change #3023.
 
 3058.	[bug]		Cause named to terminate at startup or rndc reconfig/
 			reload to fail, if a log file specified in the conf
 			file isn't a plain file. [RT #22771]
 
 3057.	[bug]		"rndc secroots" would abort after the first error
 			and so could miss some views. [RT #23488]
 
 3056.	[func]		Added support for URI resource record. [RT #23386]
 
 3055.	[placeholder]
 
 3054.	[bug]		Added elliptic curve support check in
 			GOST OpenSSL engine detection. [RT #23485]
 
 3053.	[bug]		Under a sustained high query load with a finite
 			max-cache-size, it was possible for cache memory
 			to be exhausted and not recovered. [RT #23371]
 
 3052.	[test]		Fixed last autosign test report. [RT #23256]
 
 3051.	[bug]		NS records obscure DNAME records at the bottom of the
 			zone if both are present. [RT #23035]
 
 3050.	[bug]		The autosign system test was timing dependent.
 			Wait for the initial autosigning to complete
 			before running the rest of the test. [RT #23035]
 
 3049.	[bug]		Save and restore the gid when creating creating
 			named.pid at startup. [RT #23290]
 
 3048.	[bug]		Fully separate view key management. [RT #23419]
 
 3047.	[bug]		DNSKEY NODATA responses not cached fixed in
 			validator.c. Tests added to dnssec system test.
 			[RT #22908]
 
 3046.	[bug]		Use RRSIG original TTL to compute validated RRset
 			and RRSIG TTL. [RT #23332]
 
 3045.	[removed]	Replaced by change #3050.
 
 3044.	[bug]		Hold the socket manager lock while freeing the socket.
 			[RT #23333]
 
 3043.	[test]		Merged in the NetBSD ATF test framework (currently
 			version 0.12) for development of future unit tests.
 			Use configure --with-atf to build ATF internally
 			or configure --with-atf=prefix to use an external
 			copy.  [RT #23209]
 
 3042.	[bug]		dig +trace could fail attempting to use IPv6
 			addresses on systems with only IPv4 connectivity.
 			[RT #23297]
 
 3041.	[bug]		dnssec-signzone failed to generate new signatures on
 			ttl changes. [RT #23330]
 
 3040.	[bug]		Named failed to validate insecure zones where a node
 			with a CNAME existed between the trust anchor and the
 			top of the zone. [RT #23338]
 
 3039.	[func]		Redirect on NXDOMAIN support. [RT #23146]
 
 3038.	[bug]		Install <dns/rpz.h>.  [RT #23342]
 
 3037.	[doc]		Update COPYRIGHT to contain all the individual
 			copyright notices that cover various parts.
 
 3036.	[bug]		Check built-in zone arguments to see if the zone
 			is re-usable or not. [RT #21914]
 
 3035.	[cleanup]	Simplify by using strlcpy. [RT #22521]
 
 3034.	[cleanup]	nslookup: use strlcpy instead of safecopy. [RT #22521]
 
 3033.	[cleanup]	Add two INSIST(bucket != DNS_ADB_INVALIDBUCKET).
 			[RT #22521]
 
 3032.	[bug]		rdatalist.c: add missing REQUIREs. [RT #22521]
 
 3031.	[bug]		dns_rdataclass_format() handle a zero sized buffer.
 			[RT #22521]
 
 3030.	[bug]		dns_rdatatype_format() handle a zero sized buffer.
 			[RT #22521]
 
 3029.	[bug]		isc_netaddr_format() handle a zero sized buffer.
 			[RT #22521]
 
 3028.	[bug]		isc_sockaddr_format() handle a zero sized buffer.
 			[RT #22521]
 
 3027.	[bug]		Add documented REQUIREs to cfg_obj_asnetprefix() to
 			catch NULL pointer dereferences before they happen.
 			[RT #22521]
 
 3026.	[bug]		lib/isc/httpd.c: check that we have enough space
 			after calling grow_headerspace() and if not
 			re-call grow_headerspace() until we do. [RT #22521]
 
 3025.	[bug]		Fixed a possible deadlock due to zone resigning.
 			[RT #22964]
 
 3024.	[func]		RTT Banding removed due to minor security increase
 			but major impact on resolver latency. [RT #23310]
 
 3023.	[bug]		Named could be left in an inconsistent state when
 			receiving multiple AXFR response messages that were
 			not all TSIG-signed. [RT #23254]
 
 3022.	[bug]		Fixed rpz SERVFAILs after failed zone transfers
 			[RT #23246]
 
 3021.	[bug]		Change #3010 was incomplete. [RT #22296]
 
 3020.	[bug]		auto-dnssec failed to correctly update the zone when
 			changing the DNSKEY RRset. [RT #23232]
 
 3019.	[test]		Test: check apex NSEC3 records after adding DNSKEY
 			record via UPDATE. [RT #23229]
 
 3018.	[bug]		Named failed to check for the "none;" acl when deciding
 			if a zone may need to be re-signed. [RT #23120]
 
 3017.	[doc]		dnssec-keyfromlabel -I was not properly documented.
 			[RT #22887]
 
 3016.	[bug]		rndc usage missing '-b'. [RT #22937]
 
 3015.	[port]		win32: fix IN6_IS_ADDR_LINKLOCAL and
 			IN6_IS_ADDR_SITELOCAL macros. [RT #22724]
 
 3014.	[placeholder]
 
 3013.	[bug]		The DNS64 ttl was not always being set as expected.
 			[RT #23034]
 
 3012.	[bug]		Remove DNSKEY TTL change pairs before generating
 			signing records for any remaining DNSKEY changes.
 			[RT #22590]
 
 3011.	[func]		Change the default query timeout from 30 seconds
 			to 10.  Allow setting this in named.conf using the new
 			'resolver-query-timeout' option, which specifies a max
 			time in seconds.  0 means 'default' and anything longer
 			than 30 will be silently set to 30. [RT #22852]
 
 3010.	[bug]		Fixed a bug where "rndc reconfig" stopped the timer
 			for refreshing managed-keys. [RT #22296]
 
 3009.	[bug]		clients-per-query code didn't work as expected with
 			particular query patterns. [RT #22972]
 
 	--- 9.8.0b1 released ---
 
 3008.	[func]		Response policy zones (RPZ) support. [RT #21726]
 
 3007.	[bug]		Named failed to preserve the case of domain names in
 			rdata which is not compressible when writing master
 			files.  [RT #22863]
 
 3006.	[func]		Allow dynamically generated TSIG keys to be preserved
 			across restarts of named.  Initially this is for
 			TSIG keys generated using GSSAPI. [RT #22639]
 
 3005.	[port]		Solaris: Work around the lack of
 			gsskrb5_register_acceptor_identity() by setting
 			the KRB5_KTNAME environment variable to the
 			contents of tkey-gssapi-keytab.  Also fixed
 			test errors on MacOSX.  [RT #22853]
 
 3004.	[func]		DNS64 reverse support. [RT #22769]
 
 3003.	[experimental]	Added update-policy match type "external",
 			enabling named to defer the decision of whether to
 			allow a dynamic update to an external daemon.
 			(Contributed by Andrew Tridgell.) [RT #22758]
 
 3002.	[bug]		isc_mutex_init_errcheck() failed to destroy attr.
 			[RT #22766]
 
 3001.	[func]		Added a default trust anchor for the root zone, which
 			can be switched on by setting "dnssec-validation auto;"
 			in the named.conf options. [RT #21727]
 
 3000.	[bug]		More TKEY/GSS fixes:
 			 - nsupdate can now get the default realm from
 			   the user's Kerberos principal
 			 - corrected gsstest compilation flags
 			 - improved documentation
 			 - fixed some NULL dereferences
 			[RT #22795]
 
 2999.	[func]		Add GOST support (RFC 5933). [RT #20639]
 
 2998.	[func]		Add isc_task_beginexclusive and isc_task_endexclusive
 			to the task api. [RT #22776]
 
 2997.	[func]		named -V now reports the OpenSSL and libxml2 verions
 			it was compiled against. [RT #22687]
 
 2996.	[security]	Temporarily disable SO_ACCEPTFILTER support.
 			[RT #22589]
 
 2995.	[bug]		The Kerberos realm was not being correctly extracted
 			from the signer's identity. [RT #22770]
 
 2994.	[port]		NetBSD: use pthreads by default on NetBSD >= 5.0, and
 			do not use threads on earlier versions.  Also kill
 			the unproven-pthreads, mit-pthreads, and ptl2 support.
 
 2993.	[func]		Dynamically grow adb hash tables. [RT #21186]
 
 2992.	[contrib]	contrib/check-secure-delegation.pl:  A simple tool
 			for looking at a secure delegation. [RT #22059]
 
 2991.	[contrib]	contrib/zone-edit.sh: A simple zone editing tool for
 			dynamic zones. [RT #22365]
 
 2990.	[bug]		'dnssec-settime -S' no longer tests prepublication
 			interval validity when the interval is set to 0.
 			[RT #22761]
 
 2989.	[func]		Added support for writable DLZ zones. (Contributed
 			by Andrew Tridgell of the Samba project.) [RT #22629]
 
 2988.	[experimental]	Added a "dlopen" DLZ driver, allowing the creation
 			of external DLZ drivers that can be loaded as
 			shared objects at runtime rather than linked with
 			named.  Currently this is switched on via a
 			compile-time option, "configure --with-dlz-dlopen".
 			Note: the syntax for configuring DLZ zones
 			is likely to be refined in future releases.
 			(Contributed by Andrew Tridgell of the Samba
 			project.) [RT #22629]
 
 2987.	[func]		Improve ease of configuring TKEY/GSS updates by
 			adding a "tkey-gssapi-keytab" option.  If set,
 			updates will be allowed with any key matching
 			a principal in the specified keytab file.
 			"tkey-gssapi-credential" is no longer required
 			and is expected to be deprecated.  (Contributed
 			by Andrew Tridgell of the Samba project.)
 			[RT #22629]
 
 2986.	[func]		Add new zone type "static-stub".  It's like a stub
 			zone, but the nameserver names and/or their IP
 			addresses are statically configured. [RT #21474]
 
 2985.	[bug]		Add a regression test for change #2896. [RT #21324]
 
 2984.	[bug]		Don't run MX checks when the target of the MX record
 			is ".".  [RT #22645]
 
 2983.	[bug]		Include "loadkeys" in rndc help output. [RT #22493]
 
 	--- 9.8.0a1 released ---
 
 2982.	[bug]		Reference count dst keys.  dst_key_attach() can be used
 			increment the reference count.
 
 			Note: dns_tsigkey_createfromkey() callers should now
 			always call dst_key_free() rather than setting it
 			to NULL on success. [RT #22672]
 
 2981.	[func]		Partial DNS64 support (AAAA synthesis). [RT #21991]
 
 2980.	[bug]		named didn't properly handle UPDATES that changed the
 			TTL of the NSEC3PARAM RRset. [RT #22363]
 
 2979.	[bug]		named could deadlock during shutdown if two
 			"rndc stop" commands were issued at the same
 			time. [RT #22108]
 
 2978.	[port]		hpux: look for <devpoll.h> [RT #21919]
 
 2977.	[bug]		'nsupdate -l' report if the session key is missing.
 			[RT #21670]
 
 2976.	[bug]		named could die on exit after negotiating a GSS-TSIG
 			key. [RT #22573]
 
 2975.	[bug]		rbtdb.c:cleanup_dead_nodes_callback() acquired the
 			wrong lock which could lead to server deadlock.
 			[RT #22614]
 
 2974.	[bug]		Some valid UPDATE requests could fail due to a
 			consistency check examining the existing version
 			of the zone rather than the new version resulting
 			from the UPDATE. [RT #22413]
 
 2973.	[bug]		bind.keys.h was being removed by the "make clean"
 			at the end of configure resulting in build failures
 			where there is very old version of perl installed.
 			Move it to "make maintainer-clean". [RT #22230]
 
 2972.	[bug]		win32: address windows socket errors. [RT #21906]
 
 2971.	[bug]		Fixed a bug that caused journal files not to be
 			compacted on Windows systems as a result of
 			non-POSIX-compliant rename() semantics. [RT #22434]
 
 2970.	[security]	Adding a NO DATA negative cache entry failed to clear
 			any matching RRSIG records.  A subsequent lookup of
 			of NO DATA cache entry could trigger a INSIST when the
 			unexpected RRSIG was also returned with the NO DATA
 			cache entry.
 
 			CVE-2010-3613, VU#706148. [RT #22288]
 
 2969.	[security]	Fix acl type processing so that allow-query works
 			in options and view statements.  Also add a new
 			set of tests to verify proper functioning.
 
 			CVE-2010-3615, VU#510208. [RT #22418]
 
 2968.	[security]	Named could fail to prove a data set was insecure
 			before marking it as insecure.  One set of conditions
 			that can trigger this occurs naturally when rolling
 			DNSKEY algorithms.
 
 			CVE-2010-3614, VU#837744. [RT #22309]
 
 2967.	[bug]		'host -D' now turns on debugging messages earlier.
 			[RT #22361]
 
 2966.	[bug]		isc_print_vsnprintf() failed to check if there was
 			space available in the buffer when adding a left
 			justified character with a non zero width,
 			(e.g. "%-1c"). [RT #22270]
 
 2965.	[func]		Test HMAC functions using test data from RFC 2104 and
 			RFC 4634. [RT #21702]
 
 2964.	[placeholder]
 
 2963.	[security]	The allow-query acl was being applied instead of the
 			allow-query-cache acl to cache lookups. [RT #22114]
 
 2962.	[port]		win32: add more dependencies to BINDBuild.dsw.
 			[RT #22062]
 
 2961.	[bug]		Be still more selective about the non-authoritative
 			answers we apply change 2748 to. [RT #22074]
 
 2960.	[func]		Check that named accepts non-authoritative answers.
 			[RT #21594]
 
 2959.	[func]		Check that named starts with a missing masterfile.
 			[RT #22076]
 
 2958.	[bug]		named failed to start with a missing master file.
 			[RT #22076]
 
 2957.	[bug]		entropy_get() and entropy_getpseudo() failed to match
 			the API for RAND_bytes() and RAND_pseudo_bytes()
 			respectively. [RT #21962]
 
 2956.	[port]		Enable atomic operations on the PowerPC64. [RT #21899]
 
 2955.	[func]		Provide more detail in the recursing log. [RT #22043]
 
 2954.	[bug]		contrib: dlz_mysql_driver.c bad error handling on
 			build_sqldbinstance failure. [RT #21623]
 
 2953.	[bug]		Silence spurious "expected covering NSEC3, got an
 			exact match" message when returning a wildcard
 			no data response. [RT #21744]
 
 2952.	[port]		win32: named-checkzone and named-checkconf failed
 			to initialize winsock. [RT #21932]
 
 2951.	[bug]		named failed to generate a correct signed response
 			in a optout, delegation only zone with no secure
 			delegations. [RT #22007]
 
 2950.	[bug]		named failed to perform a SOA up to date check when
 			falling back to TCP on UDP timeouts when
 			ixfr-from-differences was set. [RT #21595]
 
 2949.	[bug]		dns_view_setnewzones() contained a memory leak if
 			it was called multiple times. [RT #21942]
 
 2948.	[port]		MacOS: provide a mechanism to configure the test
 			interfaces at reboot. See bin/tests/system/README
 			for details.
 
 2947.	[placeholder]
 
 2946.	[doc]		Document the default values for the minimum and maximum
 			zone refresh and retry values in the ARM. [RT #21886]
 
 2945.	[doc]		Update empty-zones list in ARM. [RT #21772]
 
 2944.	[maint]		Remove ORCHID prefix from built in empty zones.
 			[RT #21772]
 
 2943.	[func]		Add support to load new keys into managed zones
 			without signing immediately with "rndc loadkeys".
 			Add support to link keys with "dnssec-keygen -S"
 			and "dnssec-settime -S".  [RT #21351]
 
 2942.	[contrib]	zone2sqlite failed to setup the entropy sources.
 			[RT #21610]
 
 2941.	[bug]		sdb and sdlz (dlz's zone database) failed to support
 			DNAME at the zone apex.  [RT #21610]
 
 2940.	[port]		Remove connection aborted error message on
 			Windows. [RT #21549]
 
 2939.	[func]		Check that named successfully skips NSEC3 records
 			that fail to match the NSEC3PARAM record currently
 			in use. [RT #21868]
 
 2938.	[bug]		When generating signed responses, from a signed zone
 			that uses NSEC3, named would use a uninitialized
 			pointer if it needed to skip a NSEC3 record because
 			it didn't match the selected NSEC3PARAM record for
 			zone. [RT #21868]
 
 2937.	[bug]		Worked around an apparent race condition in over
 			memory conditions.  Without this fix a DNS cache DB or
 			ADB could incorrectly stay in an over memory state,
 			effectively refusing further caching, which
 			subsequently made a BIND 9 caching server unworkable.
 			This fix prevents this problem from happening by
 			polling the state of the memory context, rather than
 			making a copy of the state, which appeared to cause
 			a race.  This is a "workaround" in that it doesn't
 			solve the possible race per se, but several experiments
 			proved this change solves the symptom.  Also, the
 			polling overhead hasn't been reported to be an issue.
 			This bug should only affect a caching server that
 			specifies a finite max-cache-size.  It's also quite
 			likely that the bug happens only when enabling threads,
 			but it's not confirmed yet. [RT #21818]
 
 2936.	[func]		Improved configuration syntax and multiple-view
 			support for addzone/delzone feature (see change
 			#2930).  Removed "new-zone-file" option, replaced
 			with "allow-new-zones (yes|no)".  The new-zone-file
 			for each view is now created automatically, with
 			a filename generated from a hash of the view name.
 			It is no longer necessary to "include" the
 			new-zone-file in named.conf; this happens
 			automatically.  Zones that were not added via
 			"rndc addzone" can no longer be removed with
 			"rndc delzone". [RT #19447]
 
 2935.	[bug]		nsupdate: improve 'file not found' error message.
 			[RT #21871]
 
 2934.	[bug]		Use ANSI C compliant shift range in lib/isc/entropy.c.
 			[RT #21871]
 
 2933.	[bug]		'dig +nsid' used stack memory after it went out of
 			scope.  This could potentially result in a unknown,
 			potentially malformed, EDNS option being sent instead
 			of the desired NSID option. [RT #21781]
 
 2932.	[cleanup]	Corrected a numbering error in the "dnssec" test.
 			[RT #21597]
 
 2931.	[bug]		Temporarily and partially disable change 2864
 			because it would cause infinite attempts of RRSIG
 			queries.  This is an urgent care fix; we'll
 			revisit the issue and complete the fix later.
 			[RT #21710]
 
 2930.	[experimental]	New "rndc addzone" and "rndc delzone" commands
 			allow dynamic addition and deletion of zones.
 			To enable this feature, specify a "new-zone-file"
 			option at the view or options level in named.conf.
 			Zone configuration information for the new zones
 			will be written into that file.  To make the new
 			zones persist after a restart, "include" the file
 			into named.conf in the appropriate view.  (Note:
 			This feature is not yet documented, and its syntax
 			is expected to change.) [RT #19447]
 
 2929.	[bug]		Improved handling of GSS security contexts:
 			 - added LRU expiration for generated TSIGs
 			 - added the ability to use a non-default realm
 			 - added new "realm" keyword in nsupdate
 			 - limited lifetime of generated keys to 1 hour
 			   or the lifetime of the context (whichever is
 			   smaller)
 			[RT #19737]
 
 2928.	[bug]		Be more selective about the non-authoritative
 			answer we apply change 2748 to. [RT #21594]
 
 2927.	[placeholder]
 
 2926.	[placeholder]
 
 2925.	[bug]		Named failed to accept uncachable negative responses
 			from insecure zones. [RT #21555]
 
 2924.	[func]		'rndc  secroots'  dump a combined summary of the
 			current managed keys combined with trusted keys.
 			[RT #20904]
 
 2923.	[bug]		'dig +trace' could drop core after "connection
 			timeout". [RT #21514]
 
 2922.	[contrib]	Update zkt to version 1.0.
 
 2921.	[bug]		The resolver could attempt to destroy a fetch context
 			too soon.  [RT #19878]
 
 2920.	[func]		Allow 'filter-aaaa-on-v4' to be applied selectively
 			to IPv4 clients.  New acl 'filter-aaaa' (default any).
 
 2919.	[func]		Add autosign-ksk and autosign-zsk virtual time tests.
 			[RT #20840]
 
 2918.	[maint]		Add AAAA address for I.ROOT-SERVERS.NET.
 
 2917.	[func]		Virtual time test framework. [RT #20801]
 
 2916.	[func]		Add framework to use IPv6 in tests.
 			fd92:7065:b8e:ffff::1 ... fd92:7065:b8e:ffff::7
 
 2915.	[cleanup]	Be smarter about which objects we attempt to compile
 			based on configure options. [RT #21444]
 
 2914.	[bug]		Make the "autosign" system test more portable.
 			[RT #20997]
 
 2913.	[func]		Add pkcs#11 system tests. [RT #20784]
 
 2912.	[func]		Windows clients don't like UPDATE responses that clear
 			the zone section. [RT #20986]
 
 2911.	[bug]		dnssec-signzone didn't handle out of zone records well.
 			[RT #21367]
 
 2910.	[func]		Sanity check Kerberos credentials. [RT #20986]
 
 2909.	[bug]		named-checkconf -p could die if "update-policy local;"
 			was specified in named.conf. [RT #21416]
 
 2908.	[bug]		It was possible for re-signing to stop after removing
 			a DNSKEY. [RT #21384]
 
 2907.	[bug]		The export version of libdns had undefined references.
 			[RT #21444]
 
 2906.	[bug]		Address RFC 5011 implementation issues. [RT #20903]
 
 2905.	[port]		aix: set use_atomic=yes with native compiler.
 			[RT #21402]
 
 2904.	[bug]		When using DLV, sub-zones of the zones in the DLV,
 			could be incorrectly marked as insecure instead of
 			secure leading to negative proofs failing.  This was
 			a unintended outcome from change 2890. [RT #21392]
 
 2903.	[bug]		managed-keys-directory missing from namedconf.c.
 			[RT #21370]
 
 2902.	[func]		Add regression test for change 2897. [RT #21040]
 
 2901.	[port]		Use AC_C_FLEXIBLE_ARRAY_MEMBER. [RT #21316]
 
 2900.	[bug]		The placeholder negative caching element was not
 			properly constructed triggering a INSIST in
 			dns_ncache_towire(). [RT #21346]
 
 2899.	[port]		win32: Support linking against OpenSSL 1.0.0.
 
 2898.	[bug]		nslookup leaked memory when -domain=value was
 			specified. [RT #21301]
 
 2897.	[bug]		NSEC3 chains could be left behind when transitioning
 			to insecure. [RT #21040]
 
 2896.	[bug]		"rndc sign" failed to properly update the zone
 			when adding a DNSKEY for publication only. [RT #21045]
 
 2895.	[func]		genrandom: add support for the generation of multiple
 			files.  [RT #20917]
 
 2894.	[contrib]	DLZ LDAP support now use '$' not '%'. [RT #21294]
 
 2893.	[bug]		Improve managed keys support.  New named.conf option
 			managed-keys-directory. [RT #20924]
 
 2892.	[bug]		Handle REVOKED keys better. [RT #20961]
 
 2891.	[maint]		Update empty-zones list to match
 			draft-ietf-dnsop-default-local-zones-13. [RT #21099]
 
 2890.	[bug]		Handle the introduction of new trusted-keys and
 			DS, DLV RRsets better. [RT #21097]
 
 2889.	[bug]		Elements of the grammar where not properly reported.
 			[RT #21046]
 
 2888.	[bug]		Only the first EDNS option was displayed. [RT #21273]
 
 2887.	[bug]		Report the keytag times in UTC in the .key file,
 			local time is presented as a comment within the
 			comment.  [RT #21223]
 
 2886.	[bug]		ctime() is not thread safe. [RT #21223]
 
 2885.	[bug]		Improve -fno-strict-aliasing support probing in
 			configure. [RT #21080]
 
 2884.	[bug]		Insufficient validation in dns_name_getlabelsequence().
 			[RT #21283]
 
 2883.	[bug]		'dig +short' failed to handle really large datasets.
 			[RT #21113]
 
 2882.	[bug]		Remove memory context from list of active contexts
 			before clearing 'magic'. [RT #21274]
 
 2881.	[bug]		Reduce the amount of time the rbtdb write lock
 			is held when closing a version. [RT #21198]
 
 2880.	[cleanup]	Make the output of dnssec-keygen and dnssec-revoke
 			consistent. [RT #21078]
 
 2879.	[contrib]	DLZ bdbhpt driver fails to close correct cursor.
 			[RT #21106]
 
 2878.	[func]		Incrementally write the master file after performing
 			a AXFR.  [RT #21010]
 
 2877.	[bug]		The validator failed to skip obviously mismatching
 			RRSIGs. [RT #21138]
 
 2876.	[bug]		Named could return SERVFAIL for negative responses
 			from unsigned zones. [RT #21131]
 
 2875.	[bug]		dns_time64_fromtext() could accept non digits.
 			[RT #21033]
 
 2874.	[bug]		Cache lack of EDNS support only after the server
 			successfully responds to the query using plain DNS.
 			[RT #20930]
 
 2873.	[bug]		Canceling a dynamic update via the dns/client module
 			could trigger an assertion failure. [RT #21133]
 
 2872.	[bug]		Modify dns/client.c:dns_client_createx() to only
 			require one of IPv4 or IPv6 rather than both.
 			[RT #21122]
 
 2871.	[bug]		Type mismatch in mem_api.c between the definition and
 			the header file, causing build failure with
 			--enable-exportlib. [RT #21138]
 
 2870.	[maint]		Add AAAA address for L.ROOT-SERVERS.NET.
 
 2869.	[bug]		Fix arguments to dns_keytable_findnextkeynode() call.
 			[RT #20877]
 
 2868.	[cleanup]	Run "make clean" at the end of configure to ensure
 			any changes made by configure are integrated.
 			Use --with-make-clean=no to disable.  [RT #20994]
 
 2867.	[bug]		Don't set GSS_C_SEQUENCE_FLAG as Windows DNS servers
 			don't like it.  [RT #20986]
 
 2866.	[bug]		Windows does not like the TSIG name being compressed.
 			[RT #20986]
 
 2865.	[bug]		memset to zero event.data.  [RT #20986]
 
 2864.	[bug]		Direct SIG/RRSIG queries were not handled correctly.
 			[RT #21050]
 
 2863.	[port]		linux: disable IPv6 PMTUD and use network minimum MTU.
 			[RT #21056]
 
 2862.	[bug]		nsupdate didn't default to the parent zone when
 			updating DS records. [RT #20896]
 
 2861.	[doc]		dnssec-settime man pages didn't correctly document the
 			inactivation time. [RT #21039]
 
 2860.	[bug]		named-checkconf's usage was out of date. [RT #21039]
 
 2859.	[bug]		When canceling validation it was possible to leak
 			memory. [RT #20800]
 
 2858.	[bug]		RTT estimates were not being adjusted on ICMP errors.
 			[RT #20772]
 
 2857.	[bug]		named-checkconf did not fail on a bad trusted key.
 			[RT #20705]
 
 2856.	[bug]		The size of a memory allocation was not always properly
 			recorded. [RT #20927]
 
 2855.	[func]		nsupdate will now preserve the entered case of domain
 			names in update requests it sends. [RT #20928]
 
 2854.	[func]		dig: allow the final soa record in a axfr response to
 			be suppressed, dig +onesoa. [RT #20929]
 
 2853.	[bug]		add_sigs() could run out of scratch space. [RT #21015]
 
 2852.	[bug]		Handle broken DNSSEC trust chains better. [RT #15619]
 
 2851.	[doc]		nslookup.1, removed <informalexample> from the docbook
 			source as it produced bad nroff.  [RT #21007]
 
 2850.	[bug]		If isc_heap_insert() failed due to memory shortage
 			the heap would have corrupted entries. [RT #20951]
 
 2849.	[bug]		Don't treat errors from the xml2 library as fatal.
 			[RT #20945]
 
 2848.	[doc]		Moved README.dnssec, README.libdns, README.pkcs11 and
 			README.rfc5011 into the ARM. [RT #20899]
 
 2847.	[cleanup]	Corrected usage message in dnssec-settime. [RT #20921]
 
 2846.	[bug]		EOF on unix domain sockets was not being handled
 			correctly. [RT #20731]
 
 2845.	[bug]		RFC 5011 client could crash on shutdown. [RT #20903]
 
 2844.	[doc]		notify-delay default in ARM was wrong.  It should have
 			been five (5) seconds.
 
 2843.	[func]		Prevent dnssec-keygen and dnssec-keyfromlabel from
 			creating key files if there is a chance that the new
 			key ID will collide with an existing one after
 			either of the keys has been revoked.  (To override
 			this in the case of dnssec-keyfromlabel, use the -y
 			option.  dnssec-keygen will simply create a
 			different, non-colliding key, so an override is
 			not necessary.) [RT #20838]
 
 2842.	[func]		Added "smartsign" and improved "autosign" and
 			"dnssec" regression tests. [RT #20865]
 
 2841.	[bug]		Change 2836 was not complete. [RT #20883]
 
 2840.	[bug]		Temporary fixed pkcs11-destroy usage check.
 			[RT #20760]
 
 2839.	[bug]		A KSK revoked by named could not be deleted.
 			[RT #20881]
 
 2838.	[placeholder]
 
 2837.	[port]		Prevent Linux spurious warnings about fwrite().
 			[RT #20812]
 
 2836.	[bug]		Keys that were scheduled to become active could
 			be delayed. [RT #20874]
 
 2835.	[bug]		Key inactivity dates were inadvertently stored in
 			the private key file with the outdated tag
 			"Unpublish" rather than "Inactive".  This has been
 			fixed; however, any existing keys that had Inactive
 			dates set will now need to have them reset, using
 			'dnssec-settime -I'. [RT #20868]
 
 2834.	[bug]		HMAC-SHA* keys that were longer than the algorithm
 			digest length were used incorrectly, leading to
 			interoperability problems with other DNS
 			implementations.  This has been corrected.
 			(Note: If an oversize key is in use, and
 			compatibility is needed with an older release of
 			BIND, the new tool "isc-hmac-fixup" can convert
 			the key secret to a form that will work with all
 			versions.) [RT #20751]
 
 2833.	[cleanup]	Fix usage messages in dnssec-keygen and dnssec-settime.
 			[RT #20851]
 
 2832.	[bug]		Modify "struct stat" in lib/export/samples/nsprobe.c
 			to avoid redefinition in some OSs [RT 20831]
 
 2831.	[security]	Do not attempt to validate or cache
 			out-of-bailiwick data returned with a secure
 			answer; it must be re-fetched from its original
 			source and validated in that context. [RT #20819]
 
 2830.	[bug]		Changing the OPTOUT setting could take multiple
 			passes. [RT #20813]
 
 2829.	[bug]		Fixed potential node inconsistency in rbtdb.c.
 			[RT #20808]
 
 2828.	[security]	Cached CNAME or DNAME RR could be returned to clients
 			without DNSSEC validation. [RT #20737]
 
 2827.	[security]	Bogus NXDOMAIN could be cached as if valid. [RT #20712]
 
 2826.	[bug]		NSEC3->NSEC transitions could fail due to a lock not
 			being released.  [RT #20740]
 
 2825.	[bug]		Changing the setting of OPTOUT in a NSEC3 chain that
 			was in the process of being created was not properly
 			recorded in the zone. [RT #20786]
 
 2824.	[bug]		"rndc sign" was not being run by the correct task.
 			[RT #20759]
 
 2823.	[bug]		rbtdb.c:getsigningtime() was missing locks. [RT #20781]
 
 2822.	[bug]		rbtdb.c:loadnode() could return the wrong result.
 			[RT #20802]
 
 2821.	[doc]		Add note that named-checkconf doesn't automatically
 			read rndc.key and bind.keys [RT #20758]
 
 2820.	[func]		Handle read access failure of OpenSSL configuration
 			file more user friendly (PKCS#11 engine patch).
 			[RT #20668]
 
 2819.	[cleanup]	Removed unnecessary DNS_POINTER_MAXHOPS define.
 			[RT #20771]
 
 2818.	[cleanup]	rndc could return an incorrect error code
 			when a zone was not found. [RT #20767]
 
 2817.	[cleanup]	Removed unnecessary isc_task_endexclusive() calls.
 			[RT #20768]
 
 2816.	[bug]		previous_closest_nsec() could fail to return
 			data for NSEC3 nodes [RT #29730]
 
 2815.	[bug]		Exclusively lock the task when freezing a zone.
 			[RT #19838]
 
 2814.	[func]		Provide a definitive error message when a master
 			zone is not loaded. [RT #20757]
 
 2813.	[bug]		Better handling of unreadable DNSSEC key files.
 			[RT #20710]
 
 2812.	[bug]		Make sure updates can't result in a zone with
 			NSEC-only keys and NSEC3 records. [RT #20748]
 
 2811.	[cleanup]	Add "rndc sign" to list of commands in rndc usage
 			output. [RT #20733]
 
 2810.	[doc]		Clarified the process of transitioning an NSEC3 zone
 			to insecure. [RT #20746]
 
 2809.	[cleanup]	Restored accidentally-deleted text in usage output
 			in dnssec-settime and dnssec-revoke [RT #20739]
 
 2808.	[bug]		Remove the attempt to install atomic.h from lib/isc.
 			atomic.h is correctly installed by the architecture
 			specific subdirectories.  [RT #20722]
 
 2807.	[bug]		Fixed a possible ASSERT when reconfiguring zone
 			keys. [RT #20720]
 
 	--- 9.7.0rc1 released ---
 
 2806.	[bug]		"rdnc sign" could delay re-signing the DNSKEY
 			when it had changed. [RT #20703]
 
 2805.	[bug]		Fixed namespace problems encountered when building
 			external programs using non-exported BIND9 libraries
 			(i.e., built without --enable-exportlib). [RT #20679]
 
 2804.	[bug]		Send notifies when a zone is signed with "rndc sign"
 			or as a result of a scheduled key change. [RT #20700]
 
 2803.	[port]		win32: Install named-journalprint, nsec3hash, arpaname
 			and genrandom under windows. [RT #20670]
 
 2802.	[cleanup]	Rename journalprint to named-journalprint. [RT #20670]
 
 2801.	[func]		Detect and report records that are different according
 			to DNSSEC but are semantically equal according to plain
 			DNS.  Apply plain DNS comparisons rather than DNSSEC
 			comparisons when processing UPDATE requests.
 			dnssec-signzone now removes such semantically duplicate
 			records prior to signing the RRset.
 
 			named-checkzone -r {ignore|warn|fail} (default warn)
 			named-compilezone -r {ignore|warn|fail} (default warn)
 
 			named.conf: check-dup-records {ignore|warn|fail};
 
 2800.	[func]		Reject zones which have NS records which refer to
 			CNAMEs, DNAMEs or don't have address record (class IN
 			only).  Reject UPDATEs which would cause the zone
 			to fail the above checks if committed. [RT #20678]
 
 2799.	[cleanup]	Changed the "secure-to-insecure" option to
 			"dnssec-secure-to-insecure", and "dnskey-ksk-only"
 			to "dnssec-dnskey-kskonly", for clarity. [RT #20586]
 
 2798.	[bug]		Addressed bugs in managed-keys initialization
 			and rollover. [RT #20683]
 
 2797.	[bug]		Don't decrement the dispatch manager's maxbuffers.
 			[RT #20613]
 
 2796.	[bug]		Missing dns_rdataset_disassociate() call in
 			dns_nsec3_delnsec3sx(). [RT #20681]
 
 2795.	[cleanup]	Add text to differentiate "update with no effect"
 			log messages. [RT #18889]
 
 2794.	[bug]		Install <isc/namespace.h>.  [RT #20677]
 
 2793.	[func]		Add "autosign" and "metadata" tests to the
 			automatic tests. [RT #19946]
 
 2792.	[func]		"filter-aaaa-on-v4" can now be set in view
 			options (if compiled in).  [RT #20635]
 
 2791.	[bug]		The installation of isc-config.sh was broken.
 			[RT #20667]
 
 2790.	[bug]		Handle DS queries to stub zones. [RT #20440]
 
 2789.	[bug]		Fixed an INSIST in dispatch.c [RT #20576]
 
 2788.	[bug]		dnssec-signzone could sign with keys that were
 			not requested [RT #20625]
 
 2787.	[bug]		Spurious log message when zone keys were
 			dynamically reconfigured. [RT #20659]
 
 2786.	[bug]		Additional could be promoted to answer. [RT #20663]
 
 	--- 9.7.0b3 released ---
 
 2785.	[bug]		Revoked keys could fail to self-sign [RT #20652]
 
 2784.	[bug]		TC was not always being set when required glue was
 			dropped. [RT #20655]
 
 2783.	[func]		Return minimal responses to EDNS/UDP queries with a UDP
 			buffer size of 512 or less.  [RT #20654]
 
 2782.	[port]		win32: use getaddrinfo() for hostname lookups.
 			[RT #20650]
 
 2781.	[bug]		Inactive keys could be used for signing. [RT #20649]
 
 2780.	[bug]		dnssec-keygen -A none didn't properly unset the
 			activation date in all cases. [RT #20648]
 
 2779.	[bug]		Dynamic key revocation could fail. [RT #20644]
 
 2778.	[bug]		dnssec-signzone could fail when a key was revoked
 			without deleting the unrevoked version. [RT #20638]
 
 2777.	[contrib]	DLZ MYSQL auto reconnect support discovery was wrong.
 
 2776.	[bug]		Change #2762 was not correct. [RT #20647]
 
 2775.	[bug]		Accept RSASHA256 and RSASHA512 as NSEC3 compatible
 			in dnssec-keyfromlabel. [RT #20643]
 
 2774.	[bug]		Existing cache DB wasn't being reused after
 			reconfiguration. [RT #20629]
 
 2773.	[bug]		In autosigned zones, the SOA could be signed
 			with the KSK. [RT #20628]
 
 2772.	[security]	When validating, track whether pending data was from
 			the additional section or not and only return it if
 			validates as secure. [RT #20438]
 
 2771.	[bug]		dnssec-signzone: DNSKEY records could be
 			corrupted when importing from key files [RT #20624]
 
 2770.	[cleanup]	Add log messages to resolver.c to indicate events
 			causing FORMERR responses. [RT #20526]
 
 2769.	[cleanup]	Change #2742 was incomplete. [RT #19589]
 
 2768.	[bug]		dnssec-signzone: -S no longer implies -g [RT #20568]
 
 2767.	[bug]		named could crash on startup if a zone was
 			configured with auto-dnssec and there was no
 			key-directory. [RT #20615]
 
 2766.	[bug]		isc_socket_fdwatchpoke() should only update the
 			socketmgr state if the socket is not pending on a
 			read or write.  [RT #20603]
 
 2765.	[bug]		Skip masters for which the TSIG key cannot be found.
 			[RT #20595]
 
 2764.	[bug]		"rndc-confgen -a" could trigger a REQUIRE. [RT #20610]
 
 2763.	[bug]		"rndc sign" didn't create an NSEC chain. [RT #20591]
 
 2762.	[bug]		DLV validation failed with a local slave DLV zone.
 			[RT #20577]
 
 2761.	[cleanup]	Enable internal symbol table for backtrace only for
 			systems that are known to work.  Currently, BSD
 			variants, Linux and Solaris are supported. [RT #20202]
 
 2760.	[cleanup]	Corrected named-compilezone usage summary. [RT #20533]
 
 2759.	[doc]		Add information about .jbk/.jnw files to
 			the ARM. [RT #20303]
 
 2758.	[bug]		win32: Added a workaround for a windows 2008 bug
 			that could cause the UDP client handler to shut
 			down. [RT #19176]
 
 2757.	[bug]		dig: assertion failure could occur in connect
 			timeout. [RT #20599]
 
 2756.	[bug]		Fixed corrupt logfile message in update.c. [RT #20597]
 
 2755.	[placeholder]
 
 2754.	[bug]		Secure-to-insecure transitions failed when zone
 			was signed with NSEC3. [RT #20587]
 
 2753.	[bug]		Removed an unnecessary warning that could appear when
 			building an NSEC chain. [RT #20589]
 
 2752.	[bug]		Locking violation. [RT #20587]
 
 2751.	[bug]		Fixed a memory leak in dnssec-keyfromlabel. [RT #20588]
 
 2750.	[bug]		dig: assertion failure could occur when a server
 			didn't have an address. [RT #20579]
 
 2749.	[bug]		ixfr-from-differences generated a non-minimal ixfr
 			for NSEC3 signed zones. [RT #20452]
 
 2748.	[func]		Identify bad answers from GTLD servers and treat them
 			as referrals. [RT #18884]
 
 2747.	[bug]		Journal roll forwards failed to set the re-signing
 			time of RRSIGs correctly. [RT #20541]
 
 2746.	[port]		hpux: address signed/unsigned expansion mismatch of
 			dns_rbtnode_t.nsec. [RT #20542]
 
 2745.	[bug]		configure script didn't probe the return type of
 			gai_strerror(3) correctly. [RT #20573]
 
 2744.	[func]		Log if a query was over TCP. [RT #19961]
 
 2743.	[bug]		RRSIG could be incorrectly set in the NSEC3 record
 			for a insecure delegation.
 
 	--- 9.7.0b2 released ---
 
 2742.	[cleanup]	Clarify some DNSSEC-related log messages in
 			validator.c. [RT #19589]
 
 2741.	[func]		Allow the dnssec-keygen progress messages to be
 			suppressed (dnssec-keygen -q).  Automatically
 			suppress the progress messages when stdin is not
 			a tty. [RT #20474]
 
 2740.	[placeholder]
 
 2739.	[cleanup]	Clean up API for initializing and clearing trust
 			anchors for a view. [RT #20211]
 
 2738.	[func]		Add RSASHA256 and RSASHA512 tests to the dnssec system
 			test. [RT #20453]
 
 2737.	[func]		UPDATE requests can leak existence information.
 			[RT #17261]
 
 2736.	[func]		Improve the performance of NSEC signed zones with
 			more than a normal amount of glue below a delegation.
 			[RT #20191]
 
 2735.	[bug]		dnssec-signzone could fail to read keys
 			that were specified on the command line with
 			full paths, but weren't in the current
 			directory. [RT #20421]
 
 2734.	[port]		cygwin: arpaname did not compile. [RT #20473]
 
 2733.	[cleanup]	Clean up coding style in pkcs11-* tools. [RT #20355]
 
 2732.	[func]		Add optional filter-aaaa-on-v4 option, available
 			if built with './configure --enable-filter-aaaa'.
 			Filters out AAAA answers to clients connecting
 			via IPv4.  (This is NOT recommended for general
 			use.) [RT #20339]
 
 2731.	[func]		Additional work on change 2709.  The key parser
 			will now ignore unrecognized fields when the
 			minor version number of the private key format
 			has been increased.  It will reject any key with
 			the major version number increased. [RT #20310]
 
 2730.	[func]		Have dnssec-keygen display a progress indication
 			a la 'openssl genrsa' on standard error. Note
 			when the first '.' is followed by a long stop
 			one has the choice between slow generation vs.
 			poor random quality, i.e., '-r /dev/urandom'.
 			[RT #20284]
 
 2729.	[func]		When constructing a CNAME from a DNAME use the DNAME
 			TTL. [RT #20451]
 
 2728.	[bug]		dnssec-keygen, dnssec-keyfromlabel and
 			dnssec-signzone now warn immediately if asked to
 			write into a nonexistent directory. [RT #20278]
 
 2727.	[func]		The 'key-directory' option can now specify a relative
 			path. [RT #20154]
 
 2726.	[func]		Added support for SHA-2 DNSSEC algorithms,
 			RSASHA256 and RSASHA512. [RT #20023]
 
 2725.	[doc]		Added information about the file "managed-keys.bind"
 			to the ARM. [RT #20235]
 
 2724.	[bug]		Updates to a existing node in secure zone using NSEC
 			were failing. [RT #20448]
 
 2723.	[bug]		isc_base32_totext(), isc_base32hex_totext(), and
 			isc_base64_totext(), didn't always mark regions of
 			memory as fully consumed after conversion.  [RT #20445]
 
 2722.	[bug]		Ensure that the memory associated with the name of
 			a node in a rbt tree is not altered during the life
 			of the node. [RT #20431]
 
 2721.	[port]		Have dst__entropy_status() prime the random number
 			generator. [RT #20369]
 
 2720.	[bug]		RFC 5011 trust anchor updates could trigger an
 			assert if the DNSKEY record was unsigned. [RT #20406]
 
 2719.	[func]		Skip trusted/managed keys for unsupported algorithms.
 			[RT #20392]
 
 2718.	[bug]		The space calculations in opensslrsa_todns() were
 			incorrect. [RT #20394]
 
 2717.	[bug]		named failed to update the NSEC/NSEC3 record when
 			the last private type record was removed as a result
 			of completing the signing the zone with a key.
 			[RT #20399]
 
 2716.	[bug]		nslookup debug mode didn't return the ttl. [RT #20414]
 
 	--- 9.7.0b1 released ---
 
 2715.	[bug]		Require OpenSSL support to be explicitly disabled.
 			[RT #20288]
 
 2714.	[port]		aix/powerpc: 'asm("ics");' needs non standard assembler
 			flags.
 
 2713.	[bug]		powerpc: atomic operations missing asm("ics") /
 			__isync() calls.
 
 2712.	[func]		New 'auto-dnssec' zone option allows zone signing
 			to be fully automated in zones configured for
 			dynamic DNS.  'auto-dnssec allow;' permits a zone
 			to be signed by creating keys for it in the
 			key-directory and using 'rndc sign <zone>'.
 			'auto-dnssec maintain;' allows that too, plus it
 			also keeps the zone's DNSSEC keys up to date
 			according to their timing metadata. [RT #19943]
 
 2711.	[port]		win32: Add the bin/pkcs11 tools into the full
 			build. [RT #20372]
 
 2710.	[func]		New 'dnssec-signzone -x' flag and 'dnskey-ksk-only'
 			zone option cause a zone to be signed with only KSKs
 			signing the DNSKEY RRset, not ZSKs.  This reduces
 			the size of a DNSKEY answer.  [RT #20340]
 
 2709.	[func]		Added some data fields, currently unused, to the
 			private key file format, to allow implementation
 			of explicit key rollover in a future release
 			without impairing backward or forward compatibility.
 			[RT #20310]
 
 2708.	[func]		Insecure to secure and NSEC3 parameter changes via
 			update are now fully supported and no longer require
 			defines to enable.  We now no longer overload the
 			NSEC3PARAM flag field, nor the NSEC OPT bit at the
 			apex.  Secure to insecure changes are controlled by
 			by the named.conf option 'secure-to-insecure'.
 
 			Warning: If you had previously enabled support by
 			adding defines at compile time to BIND 9.6 you should
 			ensure that all changes that are in progress have
 			completed prior to upgrading to BIND 9.7.  BIND 9.7
 			is not backwards compatible.
 
 2707.	[func]		dnssec-keyfromlabel no longer require engine name
 			to be specified in the label if there is a default
 			engine or the -E option has been used.  Also, it
 			now uses default algorithms as dnssec-keygen does
 			(i.e., RSASHA1, or NSEC3RSASHA1 if -3 is used).
 			[RT #20371]
 
 2706.	[bug]		Loading a zone with a very large NSEC3 salt could
 			trigger an assert. [RT #20368]
 
 2705.	[placeholder]
 
 2704.	[bug]		Serial of dynamic and stub zones could be inconsistent
 			with their SOA serial.  [RT #19387]
 
 2703.	[func]		Introduce an OpenSSL "engine" argument with -E
 			for all binaries which can take benefit of
 			crypto hardware. [RT #20230]
 
 2702.	[func]		Update PKCS#11 tools (bin/pkcs11) [RT #20225 & all]
 
 2701.	[doc]		Correction to ARM: hmac-md5 is no longer the only
 			supported TSIG key algorithm. [RT #18046]
 
 2700.	[doc]		The match-mapped-addresses option is discouraged.
 			[RT #12252]
 
 2699.	[bug]		Missing lock in rbtdb.c. [RT #20037]
 
 2698.	[placeholder]
 
 2697.	[port]		win32: ensure that S_IFMT, S_IFDIR, S_IFCHR and
 			S_IFREG are defined after including <isc/stat.h>.
 			[RT #20309]
 
 2696.	[bug]		named failed to successfully process some valid
 			acl constructs. [RT #20308]
 
 2695.	[func]		DHCP/DDNS - update fdwatch code for use by
 			DHCP.  Modify the api to isc_sockfdwatch_t (the
 			callback function for isc_socket_fdwatchcreate)
 			to include information about the direction (read
 			or write) and add isc_socket_fdwatchpoke.
 			[RT #20253]
 
 2694.	[bug]		Reduce default NSEC3 iterations from 100 to 10.
 			[RT #19970]
 
 2693.	[port]		Add some noreturn attributes. [RT #20257]
 
 2692.	[port]		win32: 32/64 bit cleanups. [RT #20335]
 
 2691.	[func]		dnssec-signzone: retain the existing NSEC or NSEC3
 			chain when re-signing a previously-signed zone.
 			Use -u to modify NSEC3 parameters or switch
 			between NSEC and NSEC3. [RT #20304]
 
 2690.	[bug]		win32: fix isc_thread_key_getspecific() prototype.
 			[RT #20315]
 
 2689.	[bug]		Correctly handle snprintf result. [RT #20306]
 
 2688.	[bug]		Use INTERFACE_F_POINTTOPOINT, not IFF_POINTOPOINT,
 			to decide to fetch the destination address. [RT #20305]
 
 2687.	[bug]		Fixed dnssec-signzone -S handling of revoked keys.
 			Also, added warnings when revoking a ZSK, as this is
 			not defined by protocol (but is legal).  [RT #19943]
 
 2686.	[bug]		dnssec-signzone should clean the old NSEC chain when
 			signing with NSEC3 and vice versa. [RT #20301]
 
 2685.	[contrib]	Update contrib/zkt to version 0.99c. [RT #20054]
 
 2684.	[cleanup]	dig: formalize +ad and +cd as synonyms for
 			+adflag and +cdflag.  [RT #19305]
 
 2683.	[bug]		dnssec-signzone should clean out old NSEC3 chains when
 			the NSEC3 parameters used to sign the zone change.
 			[RT #20246]
 
 2682.	[bug]		"configure --enable-symtable=all" failed to
 			build. [RT #20282]
 
 2681.	[bug]		IPSECKEY RR of gateway type 3 was not correctly
 			decoded. [RT #20269]
 
 2680.	[func]		Move contrib/pkcs11-keygen to bin/pkcs11. [RT #20067]
 
 2679.	[func]		dig -k can now accept TSIG keys in named.conf
 			format.  [RT #20031]
 
 2678.	[func]		Treat DS queries as if "minimal-response yes;"
 			was set. [RT #20258]
 
 2677.	[func]		Changes to key metadata behavior:
 			- Keys without "publish" or "active" dates set will
 			  no longer be used for smart signing.  However,
 			  those dates will be set to "now" by default when
 			  a key is created; to generate a key but not use
 			  it yet, use dnssec-keygen -G.
 			- New "inactive" date (dnssec-keygen/settime -I)
 			  sets the time when a key is no longer used for
 			  signing but is still published.
 			- The "unpublished" date (-U) is deprecated in
 			  favor of "deleted" (-D).
 			[RT #20247]
 
 2676.	[bug]		--with-export-installdir should have been
 			--with-export-includedir. [RT #20252]
 
 2675.	[bug]		dnssec-signzone could crash if the key directory
 			did not exist. [RT #20232]
 
 	--- 9.7.0a3 released ---
 
 2674.	[bug]		"dnssec-lookaside auto;" crashed if named was built
 			without openssl. [RT #20231]
 
 2673.	[bug]		The managed-keys.bind zone file could fail to
 			load due to a spurious result from sync_keyzone()
 			[RT #20045]
 
 2672.	[bug]		Don't enable searching in 'host' when doing reverse
 			lookups. [RT #20218]
 
 2671.	[bug]		Add support for PKCS#11 providers not returning
 			the public exponent in RSA private keys
 			(OpenCryptoki for instance) in
 			dnssec-keyfromlabel. [RT #19294]
 
 2670.	[bug]		Unexpected connect failures failed to log enough
 			information to be useful. [RT #20205]
 
 2669.	[func]		Update PKCS#11 support to support Keyper HSM.
 			Update PKCS#11 patch to be against openssl-0.9.8i.
 
 2668.	[func]		Several improvements to dnssec-* tools, including:
 			- dnssec-keygen and dnssec-settime can now set key
 			  metadata fields 0 (to unset a value, use "none")
 			- dnssec-revoke sets the revocation date in
 			  addition to the revoke bit
 			- dnssec-settime can now print individual metadata
 			  fields instead of always printing all of them,
 			  and can print them in unix epoch time format for
 			  use by scripts
 			[RT #19942]
 
 2667.	[func]		Add support for logging stack backtrace on assertion
 			failure (not available for all platforms). [RT #19780]
 
 2666.	[func]		Added an 'options' argument to dns_name_fromstring()
 			(API change from 9.7.0a2). [RT #20196]
 
 2665.	[func]		Clarify syntax for managed-keys {} statement, add
 			ARM documentation about RFC 5011 support. [RT #19874]
 
 2664.	[bug]		create_keydata() and minimal_update() in zone.c
 			didn't properly check return values for some
 			functions.  [RT #19956]
 
 2663.	[func]		win32:  allow named to run as a service using
 			"NT AUTHORITY\LocalService" as the account. [RT #19977]
 
 2662.	[bug]		lwres_getipnodebyname() and lwres_getipnodebyaddr()
 			returned a misleading error code when lwresd was
 			down. [RT #20028]
 
 2661.	[bug]		Check whether socket fd exceeds FD_SETSIZE when
 			creating lwres context. [RT #20029]
 
 2660.	[func]		Add a new set of DNS libraries for non-BIND9
 			applications.  See README.libdns. [RT #19369]
 
 2659.	[doc]		Clarify dnssec-keygen doc: key name must match zone
 			name for DNSSEC keys. [RT #19938]
 
 2658.	[bug]		dnssec-settime and dnssec-revoke didn't process
 			key file paths correctly. [RT #20078]
 
 2657.	[cleanup]	Lower "journal file <path> does not exist, creating it"
 			log level to debug 1. [RT #20058]
 
 2656.	[func]		win32: add a "tools only" check box to the installer
 			which causes it to only install dig, host, nslookup,
 			nsupdate and relevant DLLs.  [RT #19998]
 
 2655.	[doc]		Document that key-directory does not affect
 			bind.keys, rndc.key or session.key.  [RT #20155]
 
 2654.	[bug]		Improve error reporting on duplicated names for
 			deny-answer-xxx. [RT #20164]
 
 2653.	[bug]		Treat ENGINE_load_private_key() failures as key
 			not found rather than out of memory.  [RT #18033]
 
 2652.	[func]		Provide more detail about what record is being
 			deleted. [RT #20061]
 
 2651.	[bug]		Dates could print incorrectly in K*.key files on
 			64-bit systems. [RT #20076]
 
 2650.	[bug]		Assertion failure in dnssec-signzone when trying
 			to read keyset-* files. [RT #20075]
 
 2649.	[bug]		Set the domain for forward only zones. [RT #19944]
 
 2648.	[port]		win32: isc_time_seconds() was broken. [RT #19900]
 
 2647.	[bug]		Remove unnecessary SOA updates when a new KSK is
 			added. [RT #19913]
 
 2646.	[bug]		Incorrect cleanup on error in socket.c. [RT #19987]
 
 2645.	[port]		"gcc -m32" didn't work on amd64 and x86_64 platforms
 			which default to 64 bits. [RT #19927]
 
 	--- 9.7.0a2 released ---
 
 2644.	[bug]		Change #2628 caused a regression on some systems;
 			named was unable to write the PID file and would
 			fail on startup. [RT #20001]
 
 2643.	[bug]		Stub zones interacted badly with NSEC3 support.
 			[RT #19777]
 
 2642.	[bug]		nsupdate could dump core on solaris when reading
 			improperly formatted key files.  [RT #20015]
 
 2641.	[bug]		Fixed an error in parsing update-policy syntax,
 			added a regression test to check it. [RT #20007]
 
 2640.	[security]	A specially crafted update packet will cause named
 			to exit. [RT #20000]
 
 2639.	[bug]		Silence compiler warnings in gssapi code. [RT #19954]
 
 2638.	[bug]		Install arpaname. [RT #19957]
 
 2637.	[func]		Rationalize dnssec-signzone's signwithkey() calling.
 			[RT #19959]
 
 2636.	[func]		Simplify zone signing and key maintenance with the
 			dnssec-* tools.  Major changes:
 			- all dnssec-* tools now take a -K option to
 			  specify a directory in which key files will be
 			  stored
 			- DNSSEC can now store metadata indicating when
 			  they are scheduled to be published, activated,
 			  revoked or removed; these values can be set by
 			  dnssec-keygen or overwritten by the new
 			  dnssec-settime command
 			- dnssec-signzone -S (for "smart") option reads key
 			  metadata and uses it to determine automatically
 			  which keys to publish to the zone, use for
 			  signing, revoke, or remove from the zone
 			[RT #19816]
 
 2635.	[bug]		isc_inet_ntop() incorrectly handled 0.0/16 addresses.
 			[RT #19716]
 
 2634.	[port]		win32: Add support for libxml2, enable
 			statschannel. [RT #19773]
 
 2633.	[bug]		Handle 15 bit rand() functions. [RT #19783]
 
 2632.	[func]		util/kit.sh: warn if documentation appears to be out of
 			date.  [RT #19922]
 
 2631.	[bug]		Handle "//", "/./" and "/../" in mkdirpath().
 			[RT #19926 ]
 
 2630.	[func]		Improved syntax for DDNS autoconfiguration:  use
 			"update-policy local;" to switch on local DDNS in a
 			zone. (The "ddns-autoconf" option has been removed.)
 			[RT #19875]
 
 2629.	[port]		Check for seteuid()/setegid(), use setresuid()/
 			setresgid() if not present. [RT #19932]
 
 2628.	[port]		linux: Allow /var/run/named/named.pid to be opened
 			at startup with reduced capabilities in operation.
 			[RT #19884]
 
 2627.	[bug]		Named aborted if the same key was included in
 			trusted-keys more than once. [RT #19918]
 
 2626.	[bug]		Multiple trusted-keys could trigger an assertion
 			failure. [RT #19914]
 
 2625.	[bug]		Missing UNLOCK in rbtdb.c. [RT #19865]
 
 2624.	[func]		'named-checkconf -p' will print out the parsed
 			configuration. [RT #18871]
 
 2623.	[bug]		Named started searches for DS non-optimally. [RT #19915]
 
 2622.	[bug]		Printing of named.conf grammar was broken. [RT #19919]
 
 2621.	[doc]		Made copyright boilerplate consistent.  [RT #19833]
 
 2620.	[bug]		Delay thawing the zone until the reload of it has
 			completed successfully.  [RT #19750]
 
 2619.	[func]		Add support for RFC 5011, automatic trust anchor
 			maintenance.  The new "managed-keys" statement can
 			be used in place of "trusted-keys" for zones which
 			support this protocol.  (Note: this syntax is
 			expected to change prior to 9.7.0 final.) [RT #19248]
 
 2618.	[bug]		The sdb and sdlz db_interator_seek() methods could
 			loop infinitely. [RT #19847]
 
 2617.	[bug]		ifconfig.sh failed to emit an error message when
 			run from the wrong location. [RT #19375]
 
 2616.	[bug]		'host' used the nameservers from resolv.conf even
 			when a explicit nameserver was specified. [RT #19852]
 
 2615.	[bug]		"__attribute__((unused))" was in the wrong place
 			for ia64 gcc builds. [RT #19854]
 
 2614.	[port]		win32: 'named -v' should automatically be executed
 			in the foreground. [RT #19844]
 
 2613.	[placeholder]
 
 	--- 9.7.0a1 released ---
 
 2612.	[func]		Add default values for the arguments to
 			dnssec-keygen.  Without arguments, it will now
 			generate a 1024-bit RSASHA1 zone-signing key,
 			or with the -f KSK option, a 2048-bit RSASHA1
 			key-signing key. [RT #19300]
 
 2611.	[func]		Add -l option to dnssec-dsfromkey to generate
 			DLV records instead of DS records. [RT #19300]
 
 2610.	[port]		sunos: Change #2363 was not complete. [RT #19796]
 
 2609.	[func]		Simplify the configuration of dynamic zones:
 			- add ddns-confgen command to generate
 			  configuration text for named.conf
 			- add zone option "ddns-autoconf yes;", which
 			  causes named to generate a TSIG session key
 			  and allow updates to the zone using that key
 			- add '-l' (localhost) option to nsupdate, which
 			  causes nsupdate to connect to a locally-running
 			  named process using the session key generated
 			  by named
 			[RT #19284]
 
 2608.	[func]		Perform post signing verification checks in
 			dnssec-signzone.  These can be disabled with -P.
 
 			The post sign verification test ensures that for each
 			algorithm in use there is at least one non revoked
 			self signed KSK key.  That all revoked KSK keys are
 			self signed.  That all records in the zone are signed
 			by the algorithm.  [RT #19653]
 
 2607.	[bug]		named could incorrectly delete NSEC3 records for
 			empty nodes when processing a update request.
 			[RT #19749]
 
 2606.	[bug]		"delegation-only" was not being accepted in
 			delegation-only type zones. [RT #19717]
 
 2605.	[bug]		Accept DS responses from delegation only zones.
 			[RT # 19296]
 
 2604.	[func]		Add support for DNS rebinding attack prevention through
 			new options, deny-answer-addresses and
 			deny-answer-aliases.  Based on contributed code from
 			JD Nurmi, Google. [RT #18192]
 
 2603.	[port]		win32: handle .exe extension of named-checkzone and
 			named-comilezone argv[0] names under windows.
 			[RT #19767]
 
 2602.	[port]		win32: fix debugging command line build of libisccfg.
 			[RT #19767]
 
 2601.	[doc]		Mention file creation mode mask in the
 			named manual page.
 
 2600.	[doc]		ARM: miscellaneous reformatting for different
 			page widths. [RT #19574]
 
 2599.	[bug]		Address rapid memory growth when validation fails.
 			[RT #19654]
 
 2598.	[func]		Reserve the -F flag. [RT #19657]
 
 2597.	[bug]		Handle a validation failure with a insecure delegation
 			from a NSEC3 signed master/slave zone.  [RT #19464]
 
 2596.	[bug]		Stale tree nodes of cache/dynamic rbtdb could stay
 			long, leading to inefficient memory usage or rejecting
 			newer cache entries in the worst case. [RT #19563]
 
 2595.	[bug]		Fix unknown extended rcodes in dig. [RT #19625]
 
 2594.	[func]		Have rndc warn if using its default configuration
 			file when the key file also exists. [RT #19424]
 
 2593.	[bug]		Improve a corner source of SERVFAILs [RT #19632]
 
 2592.	[bug]		Treat "any" as a type in nsupdate. [RT #19455]
 
 2591.	[bug]		named could die when processing a update in
 			removed_orphaned_ds(). [RT #19507]
 
 2590.	[func]		Report zone/class of "update with no effect".
 			[RT #19542]
 
 2589.	[bug]		dns_db_unregister() failed to clear '*dbimp'.
 			[RT #19626]
 
 2588.	[bug]		SO_REUSEADDR could be set unconditionally after failure
 			of bind(2) call.  This should be rare and mostly
 			harmless, but may cause interference with other
 			processes that happen to use the same port. [RT #19642]
 
 2587.	[func]		Improve logging by reporting serial numbers for
 			when zone serial has gone backwards or unchanged.
 			[RT #19506]
 
 2586.	[bug]		Missing cleanup of SIG rdataset in searching a DLZ DB
 			or SDB. [RT #19577]
 
 2585.	[bug]		Uninitialized socket name could be referenced via a
 			statistics channel, triggering an assertion failure in
 			XML rendering. [RT #19427]
 
 2584.	[bug]		alpha: gcc optimization could break atomic operations.
 			[RT #19227]
 
 2583.	[port]		netbsd: provide a control to not add the compile
 			date to the version string, -DNO_VERSION_DATE.
 
 2582.	[bug]		Don't emit warning log message when we attempt to
 			remove non-existent journal. [RT #19516]
 
 2581.	[contrib]	dlz/mysql set MYSQL_OPT_RECONNECT option on connection.
 			Requires MySQL 5.0.19 or later. [RT #19084]
 
 2580.	[bug]		UpdateRej statistics counter could be incremented twice
 			for one rejection. [RT #19476]
 
 2579.	[bug]		DNSSEC lookaside validation failed to handle unknown
 			algorithms. [RT #19479]
 
 2578.	[bug]		Changed default sig-signing-type to 65534, because
 			65535 turns out to be reserved.  [RT #19477]
 
 2577.	[doc]		Clarified some statistics counters. [RT #19454]
 
 2576.	[bug]		NSEC record were not being correctly signed when
 			a zone transitions from insecure to secure.
 			Handle such incorrectly signed zones. [RT #19114]
 
 2575.	[func]		New functions dns_name_fromstring() and
 			dns_name_tostring(), to simplify conversion
 			of a string to a dns_name structure and vice
 			versa. [RT #19451]
 
 2574.	[doc]		Document nsupdate -g and -o. [RT #19351]
 
 2573.	[bug]		Replacing a non-CNAME record with a CNAME record in a
 			single transaction in a signed zone failed. [RT #19397]
 
 2572.	[func]		Simplify DLV configuration, with a new option
 			"dnssec-lookaside auto;"  This is the equivalent
 			of "dnssec-lookaside . trust-anchor dlv.isc.org;"
 			plus setting a trusted-key for dlv.isc.org.
 
 			Note: The trusted key is hard-coded into named,
 			but is also stored in (and can be overridden
 			by) $sysconfdir/bind.keys.  As the ISC DLV key
 			rolls over it can be kept up to date by replacing
 			the bind.keys file with a key downloaded from
 			https://www.isc.org/solutions/dlv. [RT #18685]
 
 2571.	[func]		Add a new tool "arpaname" which translates IP addresses
 			to the corresponding IN-ADDR.ARPA or IP6.ARPA name.
 			[RT #18976]
 
 2570.	[func]		Log the destination address the query was sent to.
 			[RT #19209]
 
 2569.	[func]		Move journalprint, nsec3hash, and genrandom
 			commands from bin/tests into bin/tools;
 			"make install" will put them in $sbindir. [RT #19301]
 
 2568.	[bug]		Report when the write to indicate a otherwise
 			successful start fails. [RT #19360]
 
 2567.	[bug]		dst__privstruct_writefile() could miss write errors.
 			write_public_key() could miss write errors.
 			dnssec-dsfromkey could miss write errors.
 			[RT #19360]
 
 2566.	[cleanup]	Clarify logged message when an insecure DNSSEC
 			response arrives from a zone thought to be secure:
 			"insecurity proof failed" instead of "not
 			insecure". [RT #19400]
 
 2565.	[func]		Add support for HIP record.  Includes new functions
 			dns_rdata_hip_first(), dns_rdata_hip_next()
 			and dns_rdata_hip_current().  [RT #19384]
 
 2564.	[bug]		Only take EDNS fallback steps when processing timeouts.
 			[RT #19405]
 
 2563.	[bug]		Dig could leak a socket causing it to wait forever
 			to exit. [RT #19359]
 
 2562.	[doc]		ARM: miscellaneous improvements, reorganization,
 			and some new content.
 
 2561.	[doc]		Add isc-config.sh(1) man page. [RT #16378]
 
 2560.	[bug]		Add #include <config.h> to iptable.c. [RT #18258]
 
 2559.	[bug]		dnssec-dsfromkey could compute bad DS records when
 			reading from a K* files.  [RT #19357]
 
 2558.	[func]		Set the ownership of missing directories created
 			for pid-file if -u has been specified on the command
 			line. [RT #19328]
 
 2557.	[cleanup]	PCI compliance:
 			* new libisc log module file
 			* isc_dir_chroot() now also changes the working
 			  directory to "/".
 			* additional INSISTs
 			* additional logging when files can't be removed.
 
 2556.	[port]		Solaris: mkdir(2) on tmpfs filesystems does not do the
 			error checks in the correct order resulting in the
 			wrong error code sometimes being returned. [RT #19249]
 
 2555.	[func]		dig: when emitting a hex dump also display the
 			corresponding characters. [RT #19258]
 
 2554.	[bug]		Validation of uppercase queries from NSEC3 zones could
 			fail. [RT #19297]
 
 2553.	[bug]		Reference leak on DNSSEC validation errors. [RT #19291]
 
 2552.	[bug]		zero-no-soa-ttl-cache was not being honored.
 			[RT #19340]
 
 2551.	[bug]		Potential Reference leak on return. [RT #19341]
 
 2550.	[bug]		Check --with-openssl=<path> finds <openssl/opensslv.h>.
 			[RT #19343]
 
 2549.	[port]		linux: define NR_OPEN if not currently defined.
 			[RT #19344]
 
 2548.	[bug]		Install iterated_hash.h. [RT #19335]
 
 2547.	[bug]		openssl_link.c:mem_realloc() could reference an
 			out-of-range area of the source buffer.  New public
 			function isc_mem_reallocate() was introduced to address
 			this bug. [RT #19313]
 
 2546.	[func]		Add --enable-openssl-hash configure flag to use
 			OpenSSL (in place of internal routine) for hash
 			functions (MD5, SHA[12] and HMAC). [RT #18815]
 
 2545.	[doc]		ARM: Legal hostname checking (check-names) is
 			for SRV RDATA too. [RT #19304]
 
 2544.	[cleanup]	Removed unused structure members in adb.c. [RT #19225]
 
 2543.	[contrib]	Update contrib/zkt to version 0.98. [RT #19113]
 
 2542.	[doc]		Update the description of dig +adflag. [RT #19290]
 
 2541.	[bug]		Conditionally update dispatch manager statistics.
 			[RT #19247]
 
 2540.	[func]		Add a nibble mode to $GENERATE. [RT #18872]
 
 2539.	[security]	Update the interaction between recursion, allow-query,
 			allow-query-cache and allow-recursion.  [RT #19198]
 
 2538.	[bug]		cache/ADB memory could grow over max-cache-size,
 			especially with threads and smaller max-cache-size
 			values. [RT #19240]
 
 2537.	[func]		Added more statistics counters including those on socket
 			I/O events and query RTT histograms. [RT #18802]
 
 2536.	[cleanup]	Silence some warnings when -Werror=format-security is
 			specified. [RT #19083]
 
 2535.	[bug]		dig +showsearch and +trace interacted badly. [RT #19091]
 
 2534.	[func]		Check NAPTR records regular expressions and
 			replacement strings to ensure they are syntactically
 			valid and consistent. [RT #18168]
 
 2533.	[doc]		ARM: document @ (at-sign). [RT #17144]
 
 2532.	[bug]		dig: check the question section of the response to
 			see if it matches the asked question. [RT #18495]
 
 2531.	[bug]		Change #2207 was incomplete. [RT #19098]
 
 2530.	[bug]		named failed to reject insecure to secure transitions
 			via UPDATE. [RT #19101]
 
 2529.	[cleanup]	Upgrade libtool to silence complaints from recent
 			version of autoconf. [RT #18657]
 
 2528.	[cleanup]	Silence spurious configure warning about
 			--datarootdir [RT #19096]
 
 2527.	[placeholder]
 
 2526.	[func]		New named option "attach-cache" that allows multiple
 			views to share a single cache to save memory and
 			improve lookup efficiency.  Based on contributed code
 			from Barclay Osborn, Google. [RT #18905]
 
 2525.	[func]		New logging category "query-errors" to provide detailed
 			internal information about query failures, especially
 			about server failures. [RT #19027]
 
 2524.	[port]		sunos: dnssec-signzone needs strtoul(). [RT #19129]
 
 2523.	[bug]		Random type rdata freed by dns_nsec_typepresent().
 			[RT #19112]
 
 2522.	[security]	Handle -1 from DSA_do_verify() and EVP_VerifyFinal().
 
 2521.	[bug]		Improve epoll cross compilation support. [RT #19047]
 
 2520.	[bug]		Update xml statistics version number to 2.0 as change
 			#2388 made the schema incompatible to the previous
 			version. [RT #19080]
 
 2519.	[bug]		dig/host with -4 or -6 didn't work if more than two
 			nameserver addresses of the excluded address family
 			preceded in resolv.conf. [RT #19081]
 
 2518.	[func]		Add support for the new CERT types from RFC 4398.
 			[RT #19077]
 
 2517.	[bug]		dig +trace with -4 or -6 failed when it chose a
 			nameserver address of the excluded address type.
 			[RT #18843]
 
 2516.	[bug]		glue sort for responses was performed even when not
 			needed. [RT #19039]
 
 2515.	[port]		win32: build dnssec-dsfromkey and dnssec-keyfromlabel.
 			[RT #19063]
 
 2514.	[bug]		dig/host failed with -4 or -6 when resolv.conf contains
 			a nameserver of the excluded address family.
 			[RT #18848]
 
 2513.	[bug]		Fix windows cli build. [RT #19062]
 
 2512.	[func]		Print a summary of the cached records which make up
 			the negative response.  [RT #18885]
 
 2511.	[cleanup]	dns_rdata_tofmttext() add const to linebreak.
 			[RT #18885]
 
 2510.	[bug]		"dig +sigchase" could trigger REQUIRE failures.
 			[RT #19033]
 
 2509.	[bug]		Specifying a fixed query source port was broken.
 			[RT #19051]
 
 2508.	[placeholder]
 
 2507.	[func]		Log the recursion quota values when killing the
 			oldest query or refusing to recurse due to quota.
 			[RT #19022]
 
 2506.	[port]		solaris: Check at configure time if
 			hack_shutup_pthreadonceinit is needed. [RT #19037]
 
 2505.	[port]		Treat amd64 similarly to x86_64 when determining
 			atomic operation support. [RT #19031]
 
 2504.	[bug]		Address race condition in the socket code. [RT #18899]
 
 2503.	[port]		linux: improve compatibility with Linux Standard
 			Base. [RT #18793]
 
 2502.	[cleanup]	isc_radix: Improve compliance with coding style,
 			document function in <isc/radix.h>. [RT #18534]
 
 2501.	[func]		$GENERATE now supports all rdata types.  Multi-field
 			rdata types need to be quoted.  See the ARM for
 			details. [RT #18368]
 
 2500.	[contrib]	contrib/sdb/pgsql/zonetodb.c called non-existent
 			function. [RT #18582]
 
 2499.	[port]		solaris: lib/lwres/getaddrinfo.c namespace clash.
 			[RT #18837]
 
 	--- 9.6.0rc1 released ---
 
 2498.	[bug]		Removed a bogus function argument used with
 			ISC_SOCKET_USE_POLLWATCH: it could cause compiler
 			warning or crash named with the debug 1 level
 			of logging. [RT #18917]
 
 2497.	[bug]		Don't add RRSIG bit to NSEC3 bit map for insecure
 			delegation.
 
 2496.	[bug]		Add sanity length checks to NSID option. [RT #18813]
 
 2495.	[bug]		Tighten RRSIG checks. [RT #18795]
 
 2494.	[bug]		isc/radix.h, dns/sdlz.h and dns/dlz.h were not being
 			installed. [RT #18826]
 
 2493.	[bug]		The linux capabilities code was not correctly cleaning
 			up after itself. [RT #18767]
 
 2492.	[func]		Rndc status now reports the number of cpus discovered
 			and the number of worker threads when running
 			multi-threaded. [RT #18273]
 
 2491.	[func]		Attempt to re-use a local port if we are already using
 			the port. [RT #18548]
 
 2490.	[port]		aix: work around a kernel bug where IPV6_RECVPKTINFO
 			is cleared when IPV6_V6ONLY is set. [RT #18785]
 
 2489.	[port]		solaris: Workaround Solaris's kernel bug about
 			/dev/poll:
 			http://bugs.opensolaris.org/view_bug.do?bug_id=6724237
 			Define ISC_SOCKET_USE_POLLWATCH at build time to enable
 			this workaround. [RT #18870]
 
 2488.	[func]		Added a tool, dnssec-dsfromkey, to generate DS records
 			from keyset and .key files. [RT #18694]
 
 2487.	[bug]		Give TCP connections longer to complete. [RT #18675]
 
 2486.	[func]		The default locations for named.pid and lwresd.pid
 			are now /var/run/named/named.pid and
 			/var/run/lwresd/lwresd.pid respectively.
 
 			This allows the owner of the containing directory
 			to be set, for "named -u" support, and allows there
 			to be a permanent symbolic link in the path, for
 			"named -t" support.  [RT #18306]
 
 2485.	[bug]		Change update's the handling of obscured RRSIG
 			records.  Not all orphaned DS records were being
 			removed. [RT #18828]
 
 2484.	[bug]		It was possible to trigger a REQUIRE failure when
 			adding NSEC3 proofs to the response in
 			query_addwildcardproof().  [RT #18828]
 
 2483.	[port]		win32: chroot() is not supported. [RT #18805]
 
 2482.	[port]		libxml2: support versions 2.7.* in addition
 			to 2.6.*. [RT #18806]
 
 	--- 9.6.0b1 released ---
 
 2481.	[bug]		rbtdb.c:matchparams() failed to handle NSEC3 chain
 			collisions.  [RT #18812]
 
 2480.	[bug]		named could fail to emit all the required NSEC3
 			records.  [RT #18812]
 
 2479.	[bug]		xfrout:covers was not properly initialized. [RT #18801]
 
 2478.	[bug]		'addresses' could be used uninitialized in
 			configure_forward(). [RT #18800]
 
 2477.	[bug]		dig: the global option to print the command line is
 			+cmd not print_cmd.  Update the output to reflect
 			this. [RT #17008]
 
 2476.	[doc]		ARM: improve documentation for max-journal-size and
 			ixfr-from-differences. [RT #15909] [RT #18541]
 
 2475.	[bug]		LRU cache cleanup under overmem condition could purge
 			particular entries more aggressively. [RT #17628]
 
 2474.	[bug]		ACL structures could be allocated with insufficient
 			space, causing an array overrun. [RT #18765]
 
 2473.	[port]		linux: raise the limit on open files to the possible
 			maximum value before spawning threads; 'files'
 			specified in named.conf doesn't seem to work with
 			threads as expected. [RT #18784]
 
 2472.	[port]		linux: check the number of available cpu's before
 			calling chroot as it depends on "/proc". [RT #16923]
 
 2471.	[bug]		named-checkzone was not reporting missing mandatory
 			glue when sibling checks were disabled. [RT #18768]
 
 2470.	[bug]		Elements of the isc_radix_node_t could be incorrectly
 			overwritten.  [RT #18719]
 
 2469.	[port]		solaris: Work around Solaris's select() limitations.
 			[RT #18769]
 
 2468.	[bug]		Resolver could try unreachable servers multiple times.
 			[RT #18739]
 
 2467.	[bug]		Failure of fcntl(F_DUPFD) wasn't logged. [RT #18740]
 
 2466.	[doc]		ARM: explain max-cache-ttl 0 SERVFAIL issue.
 			[RT #18302]
 
 2465.	[bug]		Adb's handling of lame addresses was different
 			for IPv4 and IPv6. [RT #18738]
 
 2464.	[port]		linux: check that a capability is present before
 			trying to set it. [RT #18135]
 
 2463.	[port]		linux: POSIX doesn't include the IPv6 Advanced Socket
 			API and glibc hides parts of the IPv6 Advanced Socket
 			API as a result.  This is stupid as it breaks how the
 			two halves (Basic and Advanced) of the IPv6 Socket API
 			were designed to be used but we have to live with it.
 			Define _GNU_SOURCE to pull in the IPv6 Advanced Socket
 			API. [RT #18388]
 
 2462.	[doc]		Document -m (enable memory usage debugging)
 			option for dig. [RT #18757]
 
 2461.	[port]		sunos: Change #2363 was not complete. [RT #17513]
 
 	--- 9.6.0a1 released ---
 
 2460.	[bug]		Don't call dns_db_getnsec3parameters() on the cache.
 			[RT #18697]
 
 2459.	[contrib]	Import dnssec-zkt to contrib/zkt. [RT #18448]
 
 2458.	[doc]		ARM: update and correction for max-cache-size.
 			[RT #18294]
 
 2457.	[tuning]	max-cache-size is reverted to 0, the previous
 			default.  It should be safe because expired cache
 			entries are also purged. [RT #18684]
 
 2456.	[bug]		In ACLs, ::/0 and 0.0.0.0/0 would both match any
 			address, regardless of family.  They now correctly
 			distinguish IPv4 from IPv6.  [RT #18559]
 
 2455.	[bug]		Stop metadata being transferred via axfr/ixfr.
 			[RT #18639]
 
 2454.	[func]		nsupdate: you can now set a default ttl. [RT #18317]
 
 2453.	[bug]		Remove NULL pointer dereference in dns_journal_print().
 			[RT #18316]
 
 2452.	[func]		Improve bin/test/journalprint. [RT #18316]
 
 2451.	[port]		solaris: handle runtime linking better. [RT #18356]
 
 2450.	[doc]		Fix lwresd docbook problem for manual page.
 			[RT #18672]
 
 2449.	[placeholder]
 
 2448.	[func]		Add NSEC3 support. [RT #15452]
 
 2447.	[cleanup]	libbind has been split out as a separate product.
 
 2446.	[func]		Add a new log message about build options on startup.
 			A new command-line option '-V' for named is also
 			provided to show this information. [RT #18645]
 
 2445.	[doc]		ARM out-of-date on empty reverse zones (list includes
 			RFC1918 address, but these are not yet compiled in).
 			[RT #18578]
 
 2444.	[port]		Linux, FreeBSD, AIX: Turn off path mtu discovery
 			(clear DF) for UDP responses and requests.
 
 2443.	[bug]		win32: UDP connect() would not generate an event,
 			and so connected UDP sockets would never clean up.
 			Fix this by doing an immediate WSAConnect() rather
 			than an io completion port type for UDP.
 
 2442.	[bug]		A lock could be destroyed twice. [RT #18626]
 
 2441.	[bug]		isc_radix_insert() could copy radix tree nodes
 			incompletely. [RT #18573]
 
 2440.	[bug]		named-checkconf used an incorrect test to determine
 			if an ACL was set to none.
 
 2439.	[bug]		Potential NULL dereference in dns_acl_isanyornone().
 			[RT #18559]
 
 2438.	[bug]		Timeouts could be logged incorrectly under win32.
 
 2437.	[bug]		Sockets could be closed too early, leading to
 			inconsistent states in the socket module. [RT #18298]
 
 2436.	[security]	win32: UDP client handler can be shutdown. [RT #18576]
 
 2435.	[bug]		Fixed an ACL memory leak affecting win32.
 
 2434.	[bug]		Fixed a minor error-reporting bug in
 			lib/isc/win32/socket.c.
 
 2433.	[tuning]	Set initial timeout to 800ms.
 
 2432.	[bug]		More Windows socket handling improvements.  Stop
 			using I/O events and use IO Completion Ports
 			throughout.  Rewrite the receive path logic to make
 			it easier to support multiple simultaneous
 			requesters in the future.  Add stricter consistency
 			checking as a compile-time option (define
 			ISC_SOCKET_CONSISTENCY_CHECKS; defaults to off).
 
 2431.	[bug]		Acl processing could leak memory. [RT #18323]
 
 2430.	[bug]		win32: isc_interval_set() could round down to
 			zero if the input was less than NS_INTERVAL
 			nanoseconds.  Round up instead. [RT #18549]
 
 2429.	[doc]		nsupdate should be in section 1 of the man pages.
 			[RT #18283]
 
 2428.	[bug]		dns_iptable_merge() mishandled merges of negative
 			tables. [RT #18409]
 
 2427.	[func]		Treat DNSKEY queries as if "minimal-response yes;"
 			was set. [RT #18528]
 
 2426.	[bug]		libbind: inet_net_pton() can sometimes return the
 			wrong value if excessively large net masks are
 			supplied. [RT #18512]
 
 2425.	[bug]		named didn't detect unavailable query source addresses
 			at load time. [RT #18536]
 
 2424.	[port]		configure now probes for a working epoll
 			implementation.  Allow the use of kqueue,
 			epoll and /dev/poll to be selected at compile
 			time. [RT #18277]
 
 2423.	[security]	Randomize server selection on queries, so as to
 			make forgery a little more difficult.  Instead of
 			always preferring the server with the lowest RTT,
 			pick a server with RTT within the same 128
 			millisecond band.  [RT #18441]
 
 2422.	[bug]		Handle the special return value of a empty node as
 			if it was a NXRRSET in the validator. [RT #18447]
 
 2421.	[func]		Add new command line option '-S' for named to specify
 			the max number of sockets. [RT #18493]
 			Use caution: this option may not work for some
 			operating systems without rebuilding named.
 
 2420.	[bug]		Windows socket handling cleanup.  Let the io
 			completion event send out canceled read/write
 			done events, which keeps us from writing to memory
 			we no longer have ownership of.  Add debugging
 			socket_log() function.  Rework TCP socket handling
 			to not leak sockets.
 
 2419.	[cleanup]	Document that isc_socket_create() and isc_socket_open()
 			should not be used for isc_sockettype_fdwatch sockets.
 			[RT #18521]
 
 2418.	[bug]		AXFR request on a DLZ could trigger a REQUIRE failure
 			[RT #18430]
 
 2417.	[bug]		Connecting UDP sockets for outgoing queries could
 			unexpectedly fail with an 'address already in use'
 			error. [RT #18411]
 
 2416.	[func]		Log file descriptors that cause exceeding the
 			internal maximum. [RT #18460]
 
 2415.	[bug]		'rndc dumpdb' could trigger various assertion failures
 			in rbtdb.c. [RT #18455]
 
 2414.	[bug]		A masterdump context held the database lock too long,
 			causing various troubles such as dead lock and
 			recursive lock acquisition. [RT #18311, #18456]
 
 2413.	[bug]		Fixed an unreachable code path in socket.c. [RT #18442]
 
 2412.	[bug]		win32: address a resource leak. [RT #18374]
 
 2411.	[bug]		Allow using a larger number of sockets than FD_SETSIZE
 			for select().  To enable this, set ISC_SOCKET_MAXSOCKETS
 			at compilation time.  [RT #18433]
 
 			Note: with changes #2469 and #2421 above, there is no
 			need to tweak ISC_SOCKET_MAXSOCKETS at compilation time
 			any more.
 
 2410.	[bug]		Correctly delete m_versionInfo. [RT #18432]
 
 2409.	[bug]		Only log that we disabled EDNS processing if we were
 			subsequently successful.  [RT #18029]
 
 2408.	[bug]		A duplicate TCP dispatch event could be sent, which
 			could then trigger an assertion failure in
 			resquery_response().  [RT #18275]
 
 2407.	[port]		hpux: test for sys/dyntune.h. [RT #18421]
 
 2406.	[placeholder]
 
 2405.	[cleanup]	The default value for dnssec-validation was changed to
 			"yes" in 9.5.0-P1 and all subsequent releases; this
 			was inadvertently omitted from CHANGES at the time.
 
 2404.	[port]		hpux: files unlimited support.
 
 2403.	[bug]		TSIG context leak. [RT #18341]
 
 2402.	[port]		Support Solaris 2.11 and over. [RT #18362]
 
 2401.	[bug]		Expect to get E[MN]FILE errno internal_accept()
 			(from accept() or fcntl() system calls). [RT #18358]
 
 2400.	[bug]		Log if kqueue()/epoll_create()/open(/dev/poll) fails.
 			[RT #18297]
 
 2399.	[placeholder]
 
 2398.	[bug]		Improve file descriptor management.  New,
 			temporary, named.conf option reserved-sockets,
 			default 512. [RT #18344]
 
 2397.	[bug]		gssapi_functions had too many elements. [RT #18355]
 
 2396.	[bug]		Don't set SO_REUSEADDR for randomized ports.
 			[RT #18336]
 
 2395.	[port]		Avoid warning and no effect from "files unlimited"
 			on Linux when running as root. [RT #18335]
 
 2394.	[bug]		Default configuration options set the limit for
 			open files to 'unlimited' as described in the
 			documentation. [RT #18331]
 
 2393.	[bug]		nested acls containing keys could trigger an
 			assertion in acl.c. [RT #18166]
 
 2392.	[bug]		remove 'grep -q' from acl test script, some platforms
 			don't support it. [RT #18253]
 
 2391.	[port]		hpux: cover additional recvmsg() error codes.
 			[RT #18301]
 
 2390.	[bug]		dispatch.c could make a false warning on 'odd socket'.
 			[RT #18301].
 
 2389.	[bug]		Move the "working directory writable" check to after
 			the ns_os_changeuser() call. [RT #18326]
 
 2388.	[bug]		Avoid using tables for layout purposes in
 			statistics XSL [RT #18159].
 
 2387.	[bug]		Silence compiler warnings in lib/isc/radix.c.
 			[RT #18147] [RT #18258]
 
 2386.	[func]		Add warning about too small 'open files' limit.
 			[RT #18269]
 
 2385.	[bug]		A condition variable in socket.c could leak in
 			rare error handling [RT #17968].
 
 2384.	[security]	Fully randomize UDP query ports to improve
 			forgery resilience. [RT #17949, #18098]
 
 2383.	[bug]		named could double queries when they resulted in
 			SERVFAIL due to overkilling EDNS0 failure detection.
 			[RT #18182]
 
 2382.	[doc]		Add descriptions of DHCID, IPSECKEY, SPF and SSHFP
 			to ARM.
 
 2381.	[port]		dlz/mysql: support multiple install layouts for
 			mysql.  <prefix>/include/{,mysql/}mysql.h and
 			<prefix>/lib/{,mysql/}. [RT #18152]
 
 2380.	[bug]		dns_view_find() was not returning NXDOMAIN/NXRRSET
 			proofs which, in turn, caused validation failures
 			for insecure zones immediately below a secure zone
 			the server was authoritative for. [RT #18112]
 
 2379.	[contrib]	queryperf/gen-data-queryperf.py: removed redundant
 			TLDs and supported RRs with TTLs [RT #17972]
 
 2378.	[bug]		gssapi_functions{} had a redundant member in BIND 9.5.
 			[RT #18169]
 
 2377.	[bug]		Address race condition in dnssec-signzone. [RT #18142]
 
 2376.	[bug]		Change #2144 was not complete.
 
 2375.	[placeholder]
 
 2374.	[bug]		"blackhole" ACLs could cause named to segfault due
 			to some uninitialized memory. [RT #18095]
 
 2373.	[bug]		Default values of zone ACLs were re-parsed each time a
 			new zone was configured, causing an overconsumption
 			of memory. [RT #18092]
 
 2372.	[bug]		Fixed incorrect TAG_HMACSHA256_BITS value [RT #18047]
 
 2371.	[doc]		Add +nsid option to dig man page. [RT #18039]
 
 2370.	[bug]		"rndc freeze" could trigger an assertion in named
 			when called on a nonexistent zone. [RT #18050]
 
 2369.	[bug]		libbind: Array bounds overrun on read in bitncmp().
 			[RT #18054]
 
 2368.	[port]		Linux: use libcap for capability management if
 			possible. [RT #18026]
 
 2367.	[bug]		Improve counting of dns_resstatscounter_retry
 			[RT #18030]
 
 2366.	[bug]		Adb shutdown race. [RT #18021]
 
 2365.	[bug]		Fix a bug that caused dns_acl_isany() to return
 			spurious results. [RT #18000]
 
 2364.	[bug]		named could trigger a assertion when serving a
 			malformed signed zone. [RT #17828]
 
 2363.	[port]		sunos: pre-set "lt_cv_sys_max_cmd_len=4096;".
 			[RT #17513]
 
 2362.	[cleanup]	Make "rrset-order fixed" a compile-time option.
 			settable by "./configure --enable-fixed-rrset".
 			Disabled by default. [RT #17977]
 
 2361.	[bug]		"recursion" statistics counter could be counted
 			multiple times for a single query.  [RT #17990]
 
 2360.	[bug]		Fix a condition where we release a database version
 			(which may acquire a lock) while holding the lock.
 
 2359.	[bug]		Fix NSID bug. [RT #17942]
 
 2358.	[doc]		Update host's default query description. [RT #17934]
 
 2357.	[port]		Don't use OpenSSL's engine support in versions before
 			OpenSSL 0.9.7f. [RT #17922]
 
 2356.	[bug]		Built in mutex profiler was not scalable enough.
 			[RT #17436]
 
 2355.	[func]		Extend the number statistics counters available.
 			[RT #17590]
 
 2354.	[bug]		Failed to initialize some rdatasetheader_t elements.
 			[RT #17927]
 
 2353.	[func]		Add support for Name Server ID (RFC 5001).
 			'dig +nsid' requests NSID from server.
 			'request-nsid yes;' causes recursive server to send
 			NSID requests to upstream servers.  Server responds
 			to NSID requests with the string configured by
 			'server-id' option.  [RT #17091]
 
 2352.	[bug]		Various GSS_API fixups. [RT #17729]
 
 2351.	[bug]		convertxsl.pl generated very long lines. [RT #17906]
 
 2350.	[port]		win32: IPv6 support. [RT #17797]
 
 2349.	[func]		Provide incremental re-signing support for secure
 			dynamic zones. [RT #1091]
 
 2348.	[func]		Use the EVP interface to OpenSSL. Add PKCS#11 support.
 			Documentation is in the new README.pkcs11 file.
 			New tool, dnssec-keyfromlabel, which takes the
 			label of a key pair in a HSM and constructs a DNS
 			key pair for use by named and dnssec-signzone.
 			[RT #16844]
 
 2347.	[bug]		Delete now traverses the RB tree in the canonical
 			order. [RT #17451]
 
 2346.	[func]		Memory statistics now cover all active memory contexts
 			in increased detail. [RT #17580]
 
 2345.	[bug]		named-checkconf failed to detect when forwarders
 			were set at both the options/view level and in
 			a root zone. [RT #17671]
 
 2344.	[bug]		Improve "logging{ file ...; };" documentation.
 			[RT #17888]
 
 2343.	[bug]		(Seemingly) duplicate IPv6 entries could be
 			created in ADB. [RT #17837]
 
 2342.	[func]		Use getifaddrs() if available under Linux. [RT #17224]
 
 2341.	[bug]		libbind: add missing -I../include for off source
 			tree builds. [RT #17606]
 
 2340.	[port]		openbsd: interface configuration. [RT #17700]
 
 2339.	[port]		tru64: support for libbind. [RT #17589]
 
 2338.	[bug]		check_ds() could be called with a non DS rdataset.
 			[RT #17598]
 
 2337.	[bug]		BUILD_LDFLAGS was not being correctly set.  [RT #17614]
 
 2336.	[func]		If "named -6" is specified then listen on all IPv6
 			interfaces if there are not listen-on-v6 clauses in
 			named.conf.  [RT #17581]
 
 2335.	[port]		sunos:  libbind and *printf() support for long long.
 			[RT #17513]
 
 2334.	[bug]		Bad REQUIRES in fromstruct_in_naptr(),  off by one
 			bug in fromstruct_txt(). [RT #17609]
 
 2333.	[bug]		Fix off by one error in isc_time_nowplusinterval().
 			[RT #17608]
 
 2332.	[contrib]	query-loc-0.4.0. [RT #17602]
 
 2331.	[bug]		Failure to regenerate any signatures was not being
 			reported nor being past back to the UPDATE client.
 			[RT #17570]
 
 2330.	[bug]		Remove potential race condition when handling
 			over memory events. [RT #17572]
 
 			WARNING: API CHANGE: over memory callback
 			function now needs to call isc_mem_waterack().
 			See <isc/mem.h> for details.
 
 2329.	[bug]		Clearer help text for dig's '-x' and '-i' options.
 
 2328.	[maint]		Add AAAA addresses for A.ROOT-SERVERS.NET,
 			F.ROOT-SERVERS.NET, H.ROOT-SERVERS.NET,
 			J.ROOT-SERVERS.NET, K.ROOT-SERVERS.NET and
 			M.ROOT-SERVERS.NET.
 
 2327.	[bug]		It was possible to dereference a NULL pointer in
 			rbtdb.c.  Implement dead node processing in zones as
 			we do for caches. [RT #17312]
 
 2326.	[bug]		It was possible to trigger a INSIST in the acache
 			processing.
 
 2325.	[port]		Linux: use capset() function if available. [RT #17557]
 
 2324.	[bug]		Fix IPv6 matching against "any;". [RT #17533]
 
 2323.	[port]		tru64: namespace clash. [RT #17547]
 
 2322.	[port]		MacOS: work around the limitation of setrlimit()
 			for RLIMIT_NOFILE. [RT #17526]
 
 2321.	[placeholder]
 
 2320.	[func]		Make statistics counters thread-safe for platforms
 			that support certain atomic operations. [RT #17466]
 
 2319.	[bug]		Silence Coverity warnings in
 			lib/dns/rdata/in_1/apl_42.c. [RT #17469]
 
 2318.	[port]		sunos fixes for libbind.  [RT #17514]
 
 2317.	[bug]		"make distclean" removed bind9.xsl.h. [RT #17518]
 
 2316.	[port]		Missing #include <isc/print.h> in lib/dns/gssapictx.c.
 			[RT #17513]
 
 2315.	[bug]		Used incorrect address family for mapped IPv4
 			addresses in acl.c. [RT #17519]
 
 2314.	[bug]		Uninitialized memory use on error path in
 			bin/named/lwdnoop.c.  [RT #17476]
 
 2313.	[cleanup]	Silence Coverity warnings. Handle private stacks.
 			[RT #17447] [RT #17478]
 
 2312.	[cleanup]	Silence Coverity warning in lib/isc/unix/socket.c.
 			[RT #17458]
 
 2311.	[bug]		IPv6 addresses could match IPv4 ACL entries and
 			vice versa. [RT #17462]
 
 2310.	[bug]		dig, host, nslookup: flush stdout before emitting
 			debug/fatal messages.  [RT #17501]
 
 2309.	[cleanup]	Fix Coverity warnings in lib/dns/acl.c and iptable.c.
 			[RT #17455]
 
 2308.	[cleanup]	Silence Coverity warning in bin/named/controlconf.c.
 			[RT #17495]
 
 2307.	[bug]		Remove infinite loop from lib/dns/sdb.c. [RT #17496]
 
 2306.	[bug]		Remove potential race from lib/dns/resolver.c.
 			[RT #17470]
 
 2305.	[security]	inet_network() buffer overflow. CVE-2008-0122.
 
 2304.	[bug]		Check returns from all dns_rdata_tostruct() calls.
 			[RT #17460]
 
 2303.	[bug]		Remove unnecessary code from bin/named/lwdgnba.c.
 			[RT #17471]
 
 2302.	[bug]		Fix memset() calls in lib/tests/t_api.c. [RT #17472]
 
 2301.	[bug]		Remove resource leak and fix error messages in
 			bin/tests/system/lwresd/lwtest.c. [RT #17474]
 
 2300.	[bug]		Fixed failure to close open file in
 			bin/tests/names/t_names.c. [RT #17473]
 
 2299.	[bug]		Remove unnecessary NULL check in
 			bin/nsupdate/nsupdate.c. [RT #17475]
 
 2298.	[bug]		isc_mutex_lock() failure not caught in
 			bin/tests/timers/t_timers.c. [RT #17468]
 
 2297.	[bug]		isc_entropy_createfilesource() failure not caught in
 			bin/tests/dst/t_dst.c. [RT #17467]
 
 2296.	[port]		Allow docbook stylesheet location to be specified to
 			configure. [RT #17457]
 
 2295.	[bug]		Silence static overrun error in bin/named/lwaddr.c.
 			[RT #17459]
 
 2294.	[func]		Allow the experimental statistics channels to have
 			multiple connections and ACL.
 			Note: the stats-server and stats-server-v6 options
 			available in the previous beta releases are replaced
 			with the generic statistics-channels statement.
 
 2293.	[func]		Add ACL regression test. [RT #17375]
 
 2292.	[bug]		Log if the working directory is not writable.
 			[RT #17312]
 
 2291.	[bug]		PR_SET_DUMPABLE may be set too late.  Also report
 			failure to set PR_SET_DUMPABLE. [RT #17312]
 
 2290.	[bug]		Let AD in the query signal that the client wants AD
 			set in the response. [RT #17301]
 
 2289.	[func]		named-checkzone now reports the out-of-zone CNAME
 			found. [RT #17309]
 
 2288.	[port]		win32: mark service as running when we have finished
 			loading.  [RT #17441]
 
 2287.	[bug]		Use 'volatile' if the compiler supports it. [RT #17413]
 
 2286.	[func]		Allow a TCP connection to be used as a weak
 			authentication method for reverse zones.
 			New update-policy methods tcp-self and 6to4-self.
 			[RT #17378]
 
 2285.	[func]		Test framework for client memory context management.
 			[RT #17377]
 
 2284.	[bug]		Memory leak in UPDATE prerequisite processing.
 			[RT #17377]
 
 2283.	[bug]		TSIG keys were not attaching to the memory
 			context.  TSIG keys should use the rings
 			memory context rather than the clients memory
 			context. [RT #17377]
 
 2282.	[bug]		Acl code fixups. [RT #17346] [RT #17374]
 
 2281.	[bug]		Attempts to use undefined acls were not being logged.
 			[RT #17307]
 
 2280.	[func]		Allow the experimental http server to be reached
 			over IPv6 as well as IPv4. [RT #17332]
 
 2279.	[bug]		Use setsockopt(SO_NOSIGPIPE), when available,
 			to protect applications from receiving spurious
 			SIGPIPE signals when using the resolver.
 
 2278.	[bug]		win32: handle the case where Windows returns no
 			search list or DNS suffix. [RT #17354]
 
 2277.	[bug]		Empty zone names were not correctly being caught at
 			in the post parse checks. [RT #17357]
 
 2276.	[bug]		Install <dst/gssapi.h>.  [RT #17359]
 
 2275.	[func]		Add support to dig to perform IXFR queries over UDP.
 			[RT #17235]
 
 2274.	[func]		Log zone transfer statistics. [RT #17336]
 
 2273.	[bug]		Adjust log level to WARNING when saving inconsistent
 			stub/slave master and journal files. [RT #17279]
 
 2272.	[bug]		Handle illegal dnssec-lookaside trust-anchor names.
 			[RT #17262]
 
 2271.	[bug]		Fix a memory leak in http server code [RT #17100]
 
 2270.	[bug]		dns_db_closeversion() version->writer could be reset
 			before it is tested. [RT #17290]
 
 2269.	[contrib]	dbus memory leaks and missing va_end calls. [RT #17232]
 
 2268.	[bug]		0.IN-ADDR.ARPA was missing from the empty zones
 			list.
 
 	--- 9.5.0b1 released ---
 
 2267.	[bug]		Radix tree node_num value could be set incorrectly,
 			causing positive ACL matches to look like negative
 			ones.  [RT #17311]
 
 2266.	[bug]		client.c:get_clientmctx() returned the same mctx
 			once the pool of mctx's was filled. [RT #17218]
 
 2265.	[bug]		Test that the memory context's basic_table is non NULL
 			before freeing.  [RT #17265]
 
 2264.	[bug]		Server prefix length was being ignored. [RT #17308]
 
 2263.	[bug]		"named-checkconf -z" failed to set default value
 			for "check-integrity".  [RT #17306]
 
 2262.	[bug]		Error status from all but the last view could be
 			lost. [RT #17292]
 
 2261.	[bug]		Fix memory leak with "any" and "none" ACLs [RT #17272]
 
 2260.	[bug]		Reported wrong clients-per-query when increasing the
 			value. [RT #17236]
 
 2259.	[placeholder]
 
 	--- 9.5.0a7 released ---
 
 2258.	[bug]		Fallback from IXFR/TSIG to SOA/AXFR/TSIG broken.
 			[RT #17241]
 
 2257.	[bug]		win32: Use the full path to vcredist_x86.exe when
 			calling it. [RT #17222]
 
 2256.	[bug]		win32: Correctly register the installation location of
 			bindevt.dll. [RT #17159]
 
 2255.	[maint]		L.ROOT-SERVERS.NET is now 199.7.83.42.
 
 2254.	[bug]		timer.c:dispatch() failed to lock timer->lock
 			when reading timer->idle allowing it to see
 			intermediate values as timer->idle was reset by
 			isc_timer_touch(). [RT #17243]
 
 2253.	[func]		"max-cache-size" defaults to 32M.
 			"max-acache-size" defaults to 16M.
 
 2252.	[bug]		Fixed errors in sortlist code [RT #17216]
 
 2251.	[placeholder]
 
 2250.	[func]		New flag 'memstatistics' to state whether the
 			memory statistics file should be written or not.
 			Additionally named's -m option will cause the
 			statistics file to be written. [RT #17113]
 
 2249.	[bug]		Only set Authentic Data bit if client requested
 			DNSSEC, per RFC 3655 [RT #17175]
 
 2248.	[cleanup]	Fix several errors reported by Coverity. [RT #17160]
 
 2247.	[doc]		Sort doc/misc/options. [RT #17067]
 
 2246.	[bug]		Make the startup of test servers (ans.pl) more
 			robust. [RT #17147]
 
 2245.	[bug]		Validating lack of DS records at trust anchors wasn't
 			working. [RT #17151]
 
 2244.	[func]		Allow the check of nameserver names against the
 			SOA MNAME field to be disabled by specifying
 			'notify-to-soa yes;'.  [RT #17073]
 
 2243.	[func]		Configuration files without a newline at the end now
 			parse without error. [RT #17120]
 
 2242.	[bug]		nsupdate: GSS-TSIG support using the Heimdal Kerberos
 			library could require a source of random data.
 			[RT #17127]
 
 2241.	[func]		nsupdate: add a interactive 'help' command. [RT #17099]
 
 2240.	[bug]		Cleanup nsupdates GSS-TSIG support.  Convert
 			a number of INSIST()s into plain fatal() errors
 			which report the triggering result code.
 			The 'key' command wasn't disabling GSS-TSIG.
 			[RT #17099]
 
 2239.	[func]		Ship a pre built bin/named/bind9.xsl.h. [RT #17114]
 
 2238.	[bug]		It was possible to trigger a REQUIRE when a
 			validation was canceled. [RT #17106]
 
 2237.	[bug]		libbind: res_init() was not thread aware. [RT #17123]
 
 2236.	[bug]		dnssec-signzone failed to preserve the case of
 			of wildcard owner names. [RT #17085]
 
 2235.	[bug]		<isc/atomic.h> was not being installed. [RT #17135]
 
 2234.	[port]		Correct some compiler warnings on SCO OSr5 [RT #17134]
 
 2233.	[func]		Add support for O(1) ACL processing, based on
 			radix tree code originally written by Kevin
 			Brintnall. [RT #16288]
 
 2232.	[bug]		dns_adb_findaddrinfo() could fail and return
 			ISC_R_SUCCESS. [RT #17137]
 
 2231.	[bug]		Building dlzbdb (contrib/dlz/bin/dlzbdb) was broken.
 			[RT #17088]
 
 2230.	[bug]		We could INSIST reading a corrupted journal.
 			[RT #17132]
 
 2229.	[bug]		Null pointer dereference on query pool creation
 			failure. [RT #17133]
 
 2228.	[contrib]	contrib: Change 2188 was incomplete.
 
 2227.	[cleanup]	Tidied up the FAQ. [RT #17121]
 
 2226.	[placeholder]
 
 2225.	[bug]		More support for systems with no IPv4 addresses.
 			[RT #17111]
 
 2224.	[bug]		Defer journal compaction if a xfrin is in progress.
 			[RT #17119]
 
 2223.	[bug]		Make a new journal when compacting. [RT #17119]
 
 2222.	[func]		named-checkconf now checks server key references.
 			[RT #17097]
 
 2221.	[bug]		Set the event result code to reflect the actual
 			record turned to caller when a cache update is
 			rejected due to a more credible answer existing.
 			[RT #17017]
 
 2220.	[bug]		win32: Address a race condition in final shutdown of
 			the Windows socket code. [RT #17028]
 
 2219.	[bug]		Apply zone consistency checks to additions, not
 			removals, when updating. [RT #17049]
 
 2218.	[bug]		Remove unnecessary REQUIRE from dns_validator_create().
 			[RT #16976]
 
 2217.	[func]		Adjust update log levels. [RT #17092]
 
 2216.	[cleanup]	Fix a number of errors reported by Coverity.
 			[RT #17094]
 
 2215.	[bug]		Bad REQUIRE check isc_hmacsha1_verify(). [RT #17094]
 
 2214.	[bug]		Deregister OpenSSL lock callback when cleaning
 			up.  Reorder OpenSSL cleanup so that RAND_cleanup()
 			is called before the locks are destroyed. [RT #17098]
 
 2213.	[bug]		SIG0 diagnostic failure messages were looking at the
 			wrong status code. [RT #17101]
 
 2212.	[func]		'host -m' now causes memory statistics and active
 			memory to be printed at exit. [RT 17028]
 
 2211.	[func]		Update "dynamic update temporarily disabled" message.
 			[RT #17065]
 
 2210.	[bug]		Deleting class specific records via UPDATE could
 			fail.  [RT #17074]
 
 2209.	[port]		osx: linking against user supplied static OpenSSL
 			libraries failed as the system ones were still being
 			found. [RT #17078]
 
 2208.	[port]		win32: make sure both build methods produce the
 			same output. [RT #17058]
 
 2207.	[port]		Some implementations of getaddrinfo() fail to set
 			ai_canonname correctly. [RT #17061]
 
 	--- 9.5.0a6 released ---
 
 2206.	[security]	"allow-query-cache" and "allow-recursion" now
 			cross inherit from each other.
 
 			If allow-query-cache is not set in named.conf then
 			allow-recursion is used if set, otherwise allow-query
 			is used if set, otherwise the default (localnets;
 			localhost;) is used.
 
 			If allow-recursion is not set in named.conf then
 			allow-query-cache is used if set, otherwise allow-query
 			is used if set, otherwise the default (localnets;
 			localhost;) is used.
 
 			[RT #16987]
 
 2205.	[bug]		libbind: change #2119 broke thread support. [RT #16982]
 
 2204.	[bug]		"rndc flushanme name unknown-view" caused named
 			to crash. [RT #16984]
 
 2203.	[security]	Query id generation was cryptographically weak.
 			[RT # 16915]
 
 2202.	[security]	The default acls for allow-query-cache and
 			allow-recursion were not being applied. [RT #16960]
 
 2201.	[bug]		The build failed in a separate object directory.
 			[RT #16943]
 
 2200.	[bug]		The search for cached NSEC records was stopping to
 			early leading to excessive DLV queries. [RT #16930]
 
 2199.	[bug]		win32: don't call WSAStartup() while loading dlls.
 			[RT #16911]
 
 2198.	[bug]		win32: RegCloseKey() could be called when
 			RegOpenKeyEx() failed. [RT #16911]
 
 2197.	[bug]		Add INSIST to catch negative responses which are
 			not setting the event result code appropriately.
 			[RT #16909]
 
 2196.	[port]		win32: yield processor while waiting for once to
 			to complete. [RT #16958]
 
 2195.	[func]		dnssec-keygen now defaults to nametype "ZONE"
 			when generating DNSKEYs. [RT #16954]
 
 2194.	[bug]		Close journal before calling 'done' in xfrin.c.
 
 	--- 9.5.0a5 released ---
 
 2193.	[port]		win32: BINDInstall.exe is now linked statically.
 			[RT #16906]
 
 2192.	[port]		win32: use vcredist_x86.exe to install Visual
 			Studio's redistributable dlls if building with
 			Visual Stdio 2005 or later.
 
 2191.	[func]		named-checkzone now allows dumping to stdout (-).
 			named-checkconf now has -h for help.
 			named-checkzone now has -h for help.
 			rndc now has -h for help.
 			Better handling of '-?' for usage summaries.
 			[RT #16707]
 
 2190.	[func]		Make fallback to plain DNS from EDNS due to timeouts
 			more visible.  New logging category "edns-disabled".
 			[RT #16871]
 
 2189.	[bug]		Handle socket() returning EINTR. [RT #15949]
 
 2188.	[contrib]	queryperf: autoconf changes to make the search for
 			libresolv or libbind more robust. [RT #16299]
 
 2187.	[bug]		query_addds(), query_addwildcardproof() and
 			query_addnxrrsetnsec() should take a version
 			argument. [RT #16368]
 
 2186.	[port]		cygwin: libbind: check for struct sockaddr_storage
 			independently of IPv6. [RT #16482]
 
 2185.	[port]		sunos: libbind: check for ssize_t, memmove() and
 			memchr(). [RT #16463]
 
 2184.	[bug]		bind9.xsl.h didn't build out of the source tree.
 			[RT #16830]
 
 2183.	[bug]		dnssec-signzone didn't handle offline private keys
 			well.  [RT #16832]
 
 2182.	[bug]		dns_dispatch_createtcp() and dispatch_createudp()
 			could return ISC_R_SUCCESS when they ran out of
 			memory. [RT #16365]
 
 2181.	[port]		sunos: libbind: add paths.h from BIND 8. [RT #16462]
 
 2180.	[cleanup]	Remove bit test from 'compress_test' as they
 			are no longer needed. [RT #16497]
 
 2179.	[func]		'rndc command zone' will now find 'zone' if it is
 			unique to all the views. [RT #16821]
 
 2178.	[bug]		'rndc reload' of a slave or stub zone resulted in
 			a reference leak. [RT #16867]
 
 2177.	[bug]		Array bounds overrun on read (rcodetext) at
 			debug level 10+. [RT #16798]
 
 2176.	[contrib]	dbus update to handle race condition during
 			initialization (Bugzilla 235809). [RT #16842]
 
 2175.	[bug]		win32: windows broadcast condition variable support
 			was broken. [RT #16592]
 
 2174.	[bug]		I/O errors should always be fatal when reading
 			master files. [RT #16825]
 
 2173.	[port]		win32: When compiling with MSVS 2005 SP1 we also
 			need to ship Microsoft.VC80.MFCLOC.
 
 	--- 9.5.0a4 released ---
 
 2172.	[bug]		query_addsoa() was being called with a non zone db.
 			[RT #16834]
 
 2171.	[bug]		Handle breaks in DNSSEC trust chains where the parent
 			servers are not DS aware (DS queries to the parent
 			return a referral to the child).
 
 2170.	[func]		Add acache processing to test suite. [RT #16711]
 
 2169.	[bug]		host, nslookup: when reporting NXDOMAIN report the
 			given name and not the last name searched for.
 			[RT #16763]
 
 2168.	[bug]		nsupdate: in non-interactive mode treat syntax errors
 			as fatal errors. [RT #16785]
 
 2167.	[bug]		When re-using a automatic zone named failed to
 			attach it to the new view. [RT #16786]
 
 	--- 9.5.0a3 released ---
 
 2166.	[bug]		When running in batch mode, dig could misinterpret
 			a server address as a name to be looked up, causing
 			unexpected output. [RT #16743]
 
 2165.	[func]		Allow the destination address of a query to determine
 			if we will answer the query or recurse.
 			allow-query-on, allow-recursion-on and
 			allow-query-cache-on. [RT #16291]
 
 2164.	[bug]		The code to determine how named-checkzone /
 			named-compilezone was called failed under windows.
 			[RT #16764]
 
 2163.	[bug]		If only one of query-source and query-source-v6
 			specified a port the query pools code broke (change
 			2129).  [RT #16768]
 
 2162.	[func]		Allow "rrset-order fixed" to be disabled at compile
 			time. [RT #16665]
 
 2161.	[bug]		Fix which log messages are emitted for 'rndc flush'.
 			[RT #16698]
 
 2160.	[bug]		libisc wasn't handling NULL ifa_addr pointers returned
 			from getifaddrs(). [RT #16708]
 
 	--- 9.5.0a2 released ---
 
 2159.	[bug]		Array bounds overrun in acache processing. [RT #16710]
 
 2158.	[bug]		ns_client_isself() failed to initialize key
 			leading to a REQUIRE failure. [RT #16688]
 
 2157.	[func]		dns_db_transfernode() created. [RT #16685]
 
 2156.	[bug]		Fix node reference leaks in lookup.c:lookup_find(),
 			resolver.c:validated() and resolver.c:cache_name().
 			Fix a memory leak in rbtdb.c:free_noqname().
 			Make lookup.c:lookup_find() robust against
 			event leaks. [RT #16685]
 
 2155.	[contrib]	SQLite sdb module from jaboydjr@netwalk.com.
 			[RT #16694]
 
 2154.	[func]		Scoped (e.g. IPv6 link-local) addresses may now be
 			matched in acls by omitting the scope. [RT #16599]
 
 2153.	[bug]		nsupdate could leak memory. [RT #16691]
 
 2152.	[cleanup]	Use sizeof(buf) instead of fixed number in
 			dighost.c:get_trusted_key(). [RT #16678]
 
 2151.	[bug]		Missing newline in usage message for journalprint.
 			[RT #16679]
 
 2150.	[bug]		'rrset-order cyclic' uniformly distribute the
 			starting point for the first response for a given
 			RRset. [RT #16655]
 
 2149.	[bug]		isc_mem_checkdestroyed() failed to abort on
 			if there were still active memory contexts.
 			[RT #16672]
 
 2148.	[func]		Add positive logging for rndc commands. [RT #14623]
 
 2147.	[bug]		libbind: remove potential buffer overflow from
 			hmac_link.c. [RT #16437]
 
 2146.	[cleanup]	Silence Linux's spurious "obsolete setsockopt
 			SO_BSDCOMPAT" message. [RT #16641]
 
 2145.	[bug]		Check DS/DLV digest lengths for known digests.
 			[RT #16622]
 
 2144.	[cleanup]	Suppress logging of SERVFAIL from forwarders.
 			[RT #16619]
 
 2143.	[bug]		We failed to restart the IPv6 client when the
 			kernel failed to return the destination the
 			packet was sent to. [RT #16613]
 
 2142.	[bug]		Handle master files with a modification time that
 			matches the epoch. [RT #16612]
 
 2141.	[bug]		dig/host should not be setting IDN_ASCCHECK (IDN
 			equivalent of LDH checks).  [RT #16609]
 
 2140.	[bug]		libbind: missing unlock on pthread_key_create()
 			failures. [RT #16654]
 
 2139.	[bug]		dns_view_find() was being called with wrong type
 			in adb.c. [RT #16670]
 
 2138.	[bug]		Lock order reversal in resolver.c. [RT #16653]
 
 2137.	[port]		Mips little endian and/or mips 64 bit are now
 			supported for atomic operations. [RT #16648]
 
 2136.	[bug]		nslookup/host looped if there was no search list
 			and the host didn't exist. [RT #16657]
 
 2135.	[bug]		Uninitialized rdataset in sdlz.c. [RT #16656]
 
 2134.	[func]		Additional statistics support. [RT #16666]
 
 2133.	[port]		powerpc:  Support both IBM and MacOS Power PC
 			assembler syntaxes. [RT #16647]
 
 2132.	[bug]		Missing unlock on out of memory in
 			dns_dispatchmgr_setudp().
 
 2131.	[contrib]	dlz/mysql: AXFR was broken. [RT #16630]
 
 2130.	[func]		Log if CD or DO were set. [RT #16640]
 
 2129.	[func]		Provide a pool of UDP sockets for queries to be
 			made over. See use-queryport-pool, queryport-pool-ports
 			and queryport-pool-updateinterval.  [RT #16415]
 
 2128.	[doc]		xsltproc --nonet, update DTD versions.  [RT #16635]
 
 2127.	[port]		Improved OpenSSL 0.9.8 support. [RT #16563]
 
 2126.	[security]	Serialize validation of type ANY responses. [RT #16555]
 
 2125.	[bug]		dns_zone_getzeronosoattl() REQUIRE failure if DLZ
 			was defined. [RT #16574]
 
 2124.	[security]	It was possible to dereference a freed fetch
 			context. [RT #16584]
 
 	--- 9.5.0a1 released ---
 
 2123.	[func]		Use Doxygen to generate internal documentation.
 			[RT #11398]
 
 2122.	[func]		Experimental http server and statistics support
 			for named via xml.
 
 2121.	[func]		Add a 10 slot dead masters cache (LRU) with a 600
 			second timeout. [RT #16553]
 
 2120.	[doc]		Fix markup on nsupdate man page. [RT #16556]
 
 2119.	[compat]	libbind: allow res_init() to succeed enough to
 			return the default domain even if it was unable
 			to allocate memory.
 
 2118.	[bug]		Handle response with long chains of domain name
 			compression pointers which point to other compression
 			pointers. [RT #16427]
 
 2117.	[bug]		DNSSEC fixes: named could fail to cache NSEC records
 			which could lead to validation failures.  named didn't
 			handle negative DS responses that were in the process
 			of being validated.  Check CNAME bit before accepting
 			NODATA proof. To be able to ignore a child NSEC there
 			must be SOA (and NS) set in the bitmap. [RT #16399]
 
 2116.	[bug]		'rndc reload' could cause the cache to continually
 			be cleaned. [RT #16401]
 
 2115.	[bug]		'rndc reconfig' could trigger a INSIST if the
 			number of masters for a zone was reduced. [RT #16444]
 
 2114.	[bug]		dig/host/nslookup: searches for names with multiple
 			labels were failing. [RT #16447]
 
 2113.	[bug]		nsupdate: if a zone is specified it should be used
 			for server discover. [RT #16455]
 
 2112.	[security]	Warn if weak RSA exponent is used. [RT #16460]
 
 2111.	[bug]		Fix a number of errors reported by Coverity.
 			[RT #16507]
 
 2110.	[bug]		"minimal-responses yes;" interacted badly with BIND 8
 			priming queries. [RT #16491]
 
 2109.	[port]		libbind: silence aix 5.3 compiler warnings. [RT #16502]
 
 2108.	[func]		DHCID support. [RT #16456]
 
 2107.	[bug]		dighost.c: more cleanup of buffers. [RT #16499]
 
 2106.	[func]		'rndc status' now reports named's version. [RT #16426]
 
 2105.	[func]		GSS-TSIG support (RFC 3645).
 
 2104.	[port]		Fix Solaris SMF error message.
 
 2103.	[port]		Add /usr/sfw to list of locations for OpenSSL
 			under Solaris.
 
 2102.	[port]		Silence Solaris 10 warnings.
 
 2101.	[bug]		OpenSSL version checks were not quite right.
 			[RT #16476]
 
 2100.	[port]		win32: copy libeay32.dll to Build\Debug.
 			Copy Debug\named-checkzone to Debug\named-compilezone.
 
 2099.	[port]		win32: more manifest issues.
 
 2098.	[bug]		Race in rbtdb.c:no_references(), which occasionally
 			triggered an INSIST failure about the node lock
 			reference.  [RT #16411]
 
 2097.	[bug]		named could reference a destroyed memory context
 			after being reloaded / reconfigured. [RT #16428]
 
 2096.	[bug]		libbind: handle applications that fail to detect
 			res_init() failures better.
 
 2095.	[port]		libbind: alway prototype inet_cidr_ntop_ipv6() and
 			net_cidr_ntop_ipv6(). [RT #16388]
 
 2094.	[contrib]	Update named-bootconf.  [RT #16404]
 
 2093.	[bug]		named-checkzone -s was broken.
 
 2092.	[bug]		win32: dig, host, nslookup.  Use registry config
 			if resolv.conf does not exist or no nameservers
 			listed. [RT #15877]
 
 2091.	[port]		dighost.c: race condition on cleanup. [RT #16417]
 
 2090.	[port]		win32: Visual C++ 2005 command line manifest support.
 			[RT #16417]
 
 2089.	[security]	Raise the minimum safe OpenSSL versions to
 			OpenSSL 0.9.7l and OpenSSL 0.9.8d.  Versions
 			prior to these have known security flaws which
 			are (potentially) exploitable in named. [RT #16391]
 
 2088.	[security]	Change the default RSA exponent from 3 to 65537.
 			[RT #16391]
 
 2087.	[port]		libisc failed to compile on OS's w/o a vsnprintf.
 			[RT #16382]
 
 2086.	[port]		libbind: FreeBSD now has get*by*_r() functions.
 			[RT #16403]
 
 2085.	[doc]		win32: added index.html and README to zip. [RT #16201]
 
 2084.	[contrib]	dbus update for 9.3.3rc2.
 
 2083.	[port]		win32: Visual C++ 2005 support.
 
 2082.	[doc]		Document 'cache-file' as a test only option.
 
 2081.	[port]		libbind: minor 64-bit portability fix in memcluster.c.
 			[RT #16360]
 
 2080.	[port]		libbind: res_init.c did not compile on older versions
 			of Solaris. [RT #16363]
 
 2079.	[bug]		The lame cache was not handling multiple types
 			correctly. [RT #16361]
 
 2078.	[bug]		dnssec-checkzone output style "default" was badly
 			named.  It is now called "relative". [RT #16326]
 
 2077.	[bug]		'dnssec-signzone -O raw' wasn't outputting the
 			complete signed zone. [RT #16326]
 
 2076.	[bug]		Several files were missing #include <config.h>
 			causing build failures on OSF. [RT #16341]
 
 2075.	[bug]		The spillat timer event hander could leak memory.
 			[RT #16357]
 
 2074.	[bug]		dns_request_createvia2(), dns_request_createvia3(),
 			dns_request_createraw2() and dns_request_createraw3()
 			failed to send multiple UDP requests. [RT #16349]
 
 2073.	[bug]		Incorrect semantics check for update policy "wildcard".
 			[RT #16353]
 
 2072.	[bug]		We were not generating valid HMAC SHA digests.
 			[RT #16320]
 
 2071.	[port]		Test whether gcc accepts -fno-strict-aliasing.
 			[RT #16324]
 
 2070.	[bug]		The remote address was not always displayed when
 			reporting dispatch failures. [RT #16315]
 
 2069.	[bug]		Cross compiling was not working. [RT #16330]
 
 2068.	[cleanup]	Lower incremental tuning message to debug 1.
 			[RT #16319]
 
 2067.	[bug]		'rndc' could close the socket too early triggering
 			a INSIST under Windows. [RT #16317]
 
 2066.	[security]	Handle SIG queries gracefully. [RT #16300]
 
 2065.	[bug]		libbind: probe for HPUX prototypes for
 			endprotoent_r() and endservent_r().  [RT 16313]
 
 2064.	[bug]		libbind: silence AIX compiler warnings. [RT #16218]
 
 2063.	[bug]		Change #1955 introduced a bug which caused the first
 			'rndc flush' call to not free memory. [RT #16244]
 
 2062.	[bug]		'dig +nssearch' was reusing a buffer before it had
 			been returned by the socket code. [RT #16307]
 
 2061.	[bug]		Accept expired wildcard message reversed. [RT #16296]
 
 2060.	[bug]		Enabling DLZ support could leave views partially
 			configured. [RT #16295]
 
 2059.	[bug]		Search into cache rbtdb could trigger an INSIST
 			failure while cleaning up a stale rdataset.
 			[RT #16292]
 
 2058.	[bug]		Adjust how we calculate rtt estimates in the presence
 			of authoritative servers that drop EDNS and/or CD
 			requests.  Also fallback to EDNS/512 and plain DNS
 			faster for zones with less than 3 servers.  [RT #16187]
 
 2057.	[bug]		Make setting "ra" dependent on both allow-query-cache
 			and allow-recursion. [RT #16290]
 
 2056.	[bug]		dig: ixfr= was not being treated case insensitively
 			at all times. [RT #15955]
 
 2055.	[bug]		Missing goto after dropping multicast query.
 			[RT #15944]
 
 2054.	[port]		freebsd: do not explicitly link against -lpthread.
 			[RT #16170]
 
 2053.	[port]		netbsd:libbind: silence compiler warnings. [RT #16220]
 
 2052.	[bug]		'rndc' improve connect failed message to report
 			the failing address. [RT #15978]
 
 2051.	[port]		More strtol() fixes. [RT #16249]
 
 2050.	[bug]		Parsing of NSAP records was not case insensitive.
 			[RT #16287]
 
 2049.	[bug]		Restore SOA before AXFR when falling back from
 			a attempted IXFR when transferring in a zone.
 			Allow a initial SOA query before attempting
 			a AXFR to be requested. [RT #16156]
 
 2048.	[bug]		It was possible to loop forever when using
 			avoid-v4-udp-ports / avoid-v6-udp-ports when
 			the OS always returned the same local port.
 			[RT #16182]
 
 2047.	[bug]		Failed to initialize the interface flags to zero.
 			[RT #16245]
 
 2046.	[bug]		rbtdb.c:rdataset_setadditional() could cause duplicate
 			cleanup [RT #16247].
 
 2045.	[func]		Use lock buckets for acache entries to limit memory
 			consumption. [RT #16183]
 
 2044.	[port]		Add support for atomic operations for Itanium.
 			[RT #16179]
 
 2043.	[port]		nsupdate/nslookup: Force the flushing of the prompt
 			for interactive sessions. [RT #16148]
 
 2042.	[bug]		named-checkconf was incorrectly rejecting the
 			logging category "config". [RT #16117]
 
 2041.	[bug]		"configure --with-dlz-bdb=yes" produced a bad
 			set of libraries to be linked. [RT #16129]
 
 2040.	[bug]		rbtdb no_references() could trigger an INSIST
 			failure with --enable-atomic.  [RT #16022]
 
 2039.	[func]		Check that all buffers passed to the socket code
 			have been retrieved when the socket event is freed.
 			[RT #16122]
 
 2038.	[bug]		dig/nslookup/host was unlinking from wrong list
 			when handling errors. [RT #16122]
 
 2037.	[func]		When unlinking the first or last element in a list
 			check that the list head points to the element to
 			be unlinked. [RT #15959]
 
 2036.	[bug]		'rndc recursing' could cause trigger a REQUIRE.
 			[RT #16075]
 
 2035.	[func]		Make falling back to TCP on UDP refresh failure
 			optional. Default "try-tcp-refresh yes;" for BIND 8
 			compatibility. [RT #16123]
 
 2034.	[bug]		gcc: set -fno-strict-aliasing. [RT #16124]
 
 2033.	[bug]		We weren't creating multiple client memory contexts
 			on demand as expected. [RT #16095]
 
 2032.	[bug]		Remove a INSIST in query_addadditional2(). [RT #16074]
 
 2031.	[bug]		Emit a error message when "rndc refresh" is called on
 			a non slave/stub zone. [RT # 16073]
 
 2030.	[bug]		We were being overly conservative when disabling
 			openssl engine support. [RT #16030]
 
 2029.	[bug]		host printed out the server multiple times when
 			specified on the command line. [RT #15992]
 
 2028.	[port]		linux: socket.c compatibility for old systems.
 			[RT #16015]
 
 2027.	[port]		libbind: Solaris x86 support. [RT #16020]
 
 2026.	[bug]		Rate limit the two recursive client exceeded messages.
 			[RT #16044]
 
 2025.	[func]		Update "zone serial unchanged" message. [RT #16026]
 
 2024.	[bug]		named emitted spurious "zone serial unchanged"
 			messages on reload. [RT #16027]
 
 2023.	[bug]		"make install" should create ${localstatedir}/run and
 			${sysconfdir} if they do not exist. [RT #16033]
 
 2022.	[bug]		If dnssec validation is disabled only assert CD if
 			CD was requested. [RT #16037]
 
 2021.	[bug]		dnssec-enable no; triggered a REQUIRE. [RT #16037]
 
 2020.	[bug]		rdataset_setadditional() could leak memory. [RT #16034]
 
 2019.	[tuning]	Reduce the amount of work performed per quantum
 			when cleaning the cache. [RT #15986]
 
 2018.	[bug]		Checking if the HMAC MD5 private file was broken.
 			[RT #15960]
 
 2017.	[bug]		allow-query default was not correct. [RT #15946]
 
 2016.	[bug]		Return a partial answer if recursion is not
 			allowed but requested and we had the answer
 			to the original qname. [RT #15945]
 
 2015.	[cleanup]	use-additional-cache is now acache-enable for
 			consistency.  Default acache-enable off in BIND 9.4
 			as it requires memory usage to be configured.
 			It may be enabled by default in BIND 9.5 once we
 			have more experience with it.
 
 2014.	[func]		Statistics about acache now recorded and sent
 			to log. [RT #15976]
 
 2013.	[bug]		Handle unexpected TSIGs on unsigned AXFR/IXFR
 			responses more gracefully. [RT #15941]
 
 2012.	[func]		Don't insert new acache entries if acache is full.
 			[RT #15970]
 
 2011.	[func]		dnssec-signzone can now update the SOA record of
 			the signed zone, either as an increment or as the
 			system time(). [RT #15633]
 
 2010.	[placeholder]	rt15958
 
 2009.	[bug]		libbind: Coverity fixes. [RT #15808]
 
 2008.	[func]		It is now possible to enable/disable DNSSEC
 			validation from rndc.  This is useful for the
 			mobile hosts where the current connection point
 			breaks DNSSEC (firewall/proxy).  [RT #15592]
 
 				rndc validation newstate [view]
 
 2007.	[func]		It is now possible to explicitly enable DNSSEC
 			validation.  default dnssec-validation no; to
 			be changed to yes in 9.5.0.  [RT #15674]
 
 2006.	[security]	Allow-query-cache and allow-recursion now default
 			to the built in acls "localnets" and "localhost".
 
 			This is being done to make caching servers less
 			attractive as reflective amplifying targets for
 			spoofed traffic.  This still leave authoritative
 			servers exposed.
 
 			The best fix is for full BCP 38 deployment to
 			remove spoofed traffic.
 
 2005.	[bug]		libbind: Retransmission timeouts should be
 			based on which attempt it is to the nameserver
 			and not the nameserver itself. [RT #13548]
 
 2004.	[bug]		dns_tsig_sign() could pass a NULL pointer to
 			dst_context_destroy() when cleaning up after a
 			error. [RT #15835]
 
 2003.	[bug]		libbind: The DNS name/address lookup functions could
 			occasionally follow a random pointer due to
 			structures not being completely zeroed. [RT #15806]
 
 2002.	[bug]		libbind: tighten the constraints on when
 			struct addrinfo._ai_pad exists.  [RT #15783]
 
 2001.	[func]		Check the KSK flag when updating a secure dynamic zone.
 			New zone option "update-check-ksk yes;".  [RT #15817]
 
 2000.	[bug]		memmove()/strtol() fix was incomplete. [RT #15812]
 
 1999.	[func]		Implement "rrset-order fixed". [RT #13662]
 
 1998.	[bug]		Restrict handling of fifos as sockets to just SunOS.
 			This allows named to connect to entropy gathering
 			daemons that use fifos instead of sockets. [RT #15840]
 
 1997.	[bug]		Named was failing to replace negative cache entries
 			when a positive one for the type was learnt.
 			[RT #15818]
 
 1996.	[bug]		nsupdate: if a zone has been specified it should
 			appear in the output of 'show'. [RT #15797]
 
 1995.	[bug]		'host' was reporting multiple "is an alias" messages.
 			[RT #15702]
 
 1994.	[port]		OpenSSL 0.9.8 support. [RT #15694]
 
 1993.	[bug]		Log messages, via syslog, were missing the space
 			after the timestamp if "print-time yes" was specified.
 			[RT #15844]
 
 1992.	[bug]		Not all incoming zone transfer messages included the
 			view.  [RT #15825]
 
 1991.	[cleanup]	The configuration data, once read, should be treated
 			as read only.  Expand the use of const to enforce this
 			at compile time. [RT #15813]
 
 1990.	[bug]		libbind:  isc's override of broken gettimeofday()
 			implementations was not always effective.
 			[RT #15709]
 
 1989.	[bug]		win32: don't check the service password when
 			re-installing. [RT #15882]
 
 1988.	[bug]		Remove a bus error from the SHA256/SHA512 support.
 			[RT #15878]
 
 1987.	[func]		DS/DLV SHA256 digest algorithm support. [RT #15608]
 
 1986.	[func]		Report when a zone is removed. [RT #15849]
 
 1985.	[protocol]	DLV has now been assigned a official type code of
 			32769. [RT #15807]
 
 			Note: care should be taken to ensure you upgrade
 			both named and dnssec-signzone at the same time for
 			zones with DLV records where named is the master
 			server for the zone.  Also any zones that contain
 			DLV records should be removed when upgrading a slave
 			zone.  You do not however have to upgrade all
 			servers for a zone with DLV records simultaneously.
 
 1984.	[func]		dig, nslookup and host now advertise a 4096 byte
 			EDNS UDP buffer size by default. [RT #15855]
 
 1983.	[func]		Two new update policies.  "selfsub" and "selfwild".
 			[RT #12895]
 
 1982.	[bug]		DNSKEY was being accepted on the parent side of
 			a delegation.  KEY is still accepted there for
 			RFC 3007 validated updates. [RT #15620]
 
 1981.	[bug]		win32: condition.c:wait() could fail to reattain
 			the mutex lock.
 
 1980.	[func]		dnssec-signzone: output the SOA record as the
 			first record in the signed zone. [RT #15758]
 
 1979.	[port]		linux: allow named to drop core after changing
 			user ids. [RT #15753]
 
 1978.	[port]		Handle systems which have a broken recvmsg().
 			[RT #15742]
 
 1977.	[bug]		Silence noisy log message. [RT #15704]
 
 1976.	[bug]		Handle systems with no IPv4 addresses. [RT #15695]
 
 1975.	[bug]		libbind: isc_gethexstring() could misparse multi-line
 			hex strings with comments. [RT #15814]
 
 1974.	[doc]		List each of the zone types and associated zone
 			options separately in the ARM.
 
 1973.	[func]		TSIG HMACSHA1, HMACSHA224, HMACSHA256, HMACSHA384 and
 			HMACSHA512 support. [RT #13606]
 
 1972.	[contrib]	DBUS dynamic forwarders integration from
 			Jason Vas Dias <jvdias@redhat.com>.
 
 1971.	[port]		linux: make detection of missing IF_NAMESIZE more
 			robust. [RT #15443]
 
 1970.	[bug]		nsupdate: adjust UDP timeout when falling back to
 			unsigned SOA query. [RT #15775]
 
 1969.	[bug]		win32: the socket code was freeing the socket
 			structure too early. [RT #15776]
 
 1968.	[bug]		Missing lock in resolver.c:validated(). [RT #15739]
 
 1967.	[func]		dig/nslookup/host: warn about missing "QR". [RT #15779]
 
 1966.	[bug]		Don't set CD when we have fallen back to plain DNS.
 			[RT #15727]
 
 1965.	[func]		Suppress spurious "recursion requested but not
 			available" warning with 'dig +qr'. [RT #15780].
 
 1964.	[func]		Separate out MX and SRV to CNAME checks. [RT #15723]
 
 1963.	[port]		Tru64 4.0E doesn't support send() and recv().
 			[RT #15586]
 
 1962.	[bug]		Named failed to clear old update-policy when it
 			was removed. [RT #15491]
 
 1961.	[bug]		Check the port and address of responses forwarded
 			to dispatch. [RT #15474]
 
 1960.	[bug]		Update code should set NSEC ttls from SOA MINIMUM.
 			[RT #15465]
 
 1959.	[func]		Control the zeroing of the negative response TTL to
 			a soa query.  Defaults "zero-no-soa-ttl yes;" and
 			"zero-no-soa-ttl-cache no;". [RT #15460]
 
 1958.	[bug]		Named failed to update the zone's secure state
 			until the zone was reloaded. [RT #15412]
 
 1957.	[bug]		Dig mishandled responses to class ANY queries.
 			[RT #15402]
 
 1956.	[bug]		Improve cross compile support, 'gen' is now built
 			by native compiler.  See README for additional
 			cross compile support information. [RT #15148]
 
 1955.	[bug]		Pre-allocate the cache cleaning iterator. [RT #14998]
 
 1954.	[func]		Named now falls back to advertising EDNS with a
 			512 byte receive buffer if the initial EDNS queries
 			fail.  [RT #14852]
 
 1953.	[func]		The maximum EDNS UDP response named will send can
 			now be set in named.conf (max-udp-size).  This is
 			independent of the advertised receive buffer
 			(edns-udp-size). [RT #14852]
 
 1952.	[port]		hpux: tell the linker to build a runtime link
 			path "-Wl,+b:". [RT #14816].
 
 1951.	[security]	Drop queries from particular well known ports.
 			Don't return FORMERR to queries from particular
 			well known ports.  [RT #15636]
 
 1950.	[port]		Solaris 2.5.1 and earlier cannot bind() then connect()
 			a TCP socket. This prevents the source address being
 			set for TCP connections. [RT #15628]
 
 1949.	[func]		Addition memory leakage checks. [RT #15544]
 
 1948.	[bug]		If was possible to trigger a REQUIRE failure in
 			xfrin.c:maybe_free() if named ran out of memory.
 			[RT #15568]
 
 1947.	[func]		It is now possible to configure named to accept
 			expired RRSIGs.  Default "dnssec-accept-expired no;".
 			Setting "dnssec-accept-expired yes;" leaves named
 			vulnerable to replay attacks.  [RT #14685]
 
 1946.	[bug]		resume_dslookup() could trigger a REQUIRE failure
 			when using forwarders. [RT #15549]
 
 1945.	[cleanup]	dnssec-keygen: RSA (RSAMD5) is no longer recommended.
 			To generate a RSAMD5 key you must explicitly request
 			RSAMD5. [RT #13780]
 
 1944.	[cleanup]	isc_hash_create() does not need a read/write lock.
 			[RT #15522]
 
 1943.	[bug]		Set the loadtime after rolling forward the journal.
 			[RT #15647]
 
 1942.	[bug]		If the name of a DNSKEY match that of one in
 			trusted-keys do not attempt to validate the DNSKEY
 			using the parents DS RRset. [RT #15649]
 
 1941.	[bug]		ncache_adderesult() should set eresult even if no
 			rdataset is passed to it. [RT #15642]
 
 1940.	[bug]		Fixed a number of error conditions reported by
 			Coverity.
 
 1939.	[bug]		The resolver could dereference a null pointer after
 			validation if all the queries have timed out.
 			[RT #15528]
 
 1938.	[bug]		The validator was not correctly handling unsecure
 			negative responses at or below a SEP. [RT #15528]
 
 1937.	[bug]		sdlz doesn't handle RRSIG records. [RT #15564]
 
 1936.	[bug]		The validator could leak memory. [RT #15544]
 
 1935.	[bug]		'acache' was DO sensitive. [RT #15430]
 
 1934.	[func]		Validate pending NS RRsets, in the authority section,
 			prior to returning them if it can be done without
 			requiring DNSKEYs to be fetched.  [RT #15430]
 
 1933.	[bug]		dump_rdataset_raw() had a incorrect INSIST. [RT #15534]
 
 1932.	[bug]		hpux: LDFLAGS was getting corrupted. [RT #15530]
 
 1931.	[bug]		Per-client mctx could require a huge amount of memory,
 			particularly for a busy caching server. [RT #15519]
 
 1930.	[port]		HPUX: ia64 support. [RT #15473]
 
 1929.	[port]		FreeBSD: extend use of PTHREAD_SCOPE_SYSTEM.
 
 1928.	[bug]		Race in rbtdb.c:currentversion(). [RT #15517]
 
 1927.	[bug]		Access to soanode or nsnode in rbtdb violated the
 			lock order rule and could cause a dead lock.
 			[RT #15518]
 
 1926.	[bug]		The Windows installer did not check for empty
 			passwords.  BINDinstall was being installed in
 			the wrong place. [RT #15483]
 
 1925.	[port]		All outer level AC_TRY_RUNs need cross compiling
 			defaults. [RT #15469]
 
 1924.	[port]		libbind: hpux ia64 support. [RT #15473]
 
 1923.	[bug]		ns_client_detach() called too early. [RT #15499]
 
 1922.	[bug]		check-tool.c:setup_logging() missing call to
 			dns_log_setcontext().
 
 1921.	[bug]		Client memory contexts were not using internal
 			malloc. [RT #15434]
 
 1920.	[bug]		The cache rbtdb lock array was too small to
 			have the desired performance characteristics.
 			[RT #15454]
 
 1919.	[contrib]	queryperf: a set of new features: collecting/printing
 			response delays, printing intermediate results, and
 			adjusting query rate for the "target" qps.
 
 1918.	[bug]		Memory leak when checking acls. [RT #15391]
 
 1917.	[doc]		funcsynopsisinfo wasn't being treated as verbatim
 			when generating man pages. [RT #15385]
 
 1916.	[func]		Integrate contributed IDN code from JPNIC. [RT #15383]
 
 1915.	[bug]		dig +ndots was broken. [RT #15215]
 
 1914.	[protocol]	DS is required to accept mnemonic algorithms
 			(RFC 4034).  Still emit numeric algorithms for
 			compatibility with RFC 3658. [RT #15354]
 
 1913.	[func]		Integrate contributed DLZ code into named. [RT #11382]
 
 1912.	[port]		aix: atomic locking for powerpc. [RT #15020]
 
 1911.	[bug]		Update windows socket code. [RT #14965]
 
 1910.	[bug]		dig's +sigchase code overhauled. [RT #14933]
 
 1909.	[bug]		The DLV code has been re-worked to make no longer
 			query order sensitive. [RT #14933]
 
 1908.	[func]		dig now warns if 'RA' is not set in the answer when
 			'RD' was set in the query.  host/nslookup skip servers
 			that fail to set 'RA' when 'RD' is set unless a server
 			is explicitly set.  [RT #15005]
 
 1907.	[func]		host/nslookup now continue (default)/fail on SERVFAIL.
 			[RT #15006]
 
 1906.	[func]		dig now has a '-q queryname' and '+showsearch' options.
 			[RT #15034]
 
 1905.	[bug]		Strings returned from cfg_obj_asstring() should be
 			treated as read-only.  The prototype for
 			cfg_obj_asstring() has been updated to reflect this.
 			[RT #15256]
 
 1904.	[func]		Automatic empty zone creation for D.F.IP6.ARPA and
 			friends.  Note: RFC 1918 zones are not yet covered by
 			this but are likely to be in a future release.
 
 			New options: empty-server, empty-contact,
 			empty-zones-enable and disable-empty-zone.
 
 1903.	[func]		ISC string copy API.
 
 1902.	[func]		Attempt to make the amount of work performed in a
 			iteration self tuning.  The covers nodes clean from
 			the cache per iteration, nodes written to disk when
 			rewriting a master file and nodes destroyed per
 			iteration when destroying a zone or a cache.
 			[RT #14996]
 
 1901.	[cleanup]	Don't add DNSKEY records to the additional section.
 
 1900.	[bug]		ixfr-from-differences failed to ensure that the
 			serial number increased. [RT #15036]
 
 1899.	[func]		named-checkconf now validates update-policy entries.
 			[RT #14963]
 
 1898.	[bug]		Extend ISC_SOCKADDR_FORMATSIZE and
 			ISC_NETADDR_FORMATSIZE to allow for scope details.
 
 1897.	[func]		x86 and x86_64 now have separate atomic locking
 			implementations.
 
 1896.	[bug]		Recursive clients soft quota support wasn't working
 			as expected. [RT #15103]
 
 1895.	[bug]		A escaped character is, potentially, converted to
 			the output character set too early. [RT #14666]
 
 1894.	[doc]		Review ARM for BIND 9.4.
 
 1893.	[port]		Use uintptr_t if available. [RT #14606]
 
 1892.	[func]		Support for SPF rdata type. [RT #15033]
 
 1891.	[port]		freebsd: pthread_mutex_init can fail if it runs out
 			of memory. [RT #14995]
 
 1890.	[func]		Raise the UDP receive buffer size to 32k if it is
 			less than 32k. [RT #14953]
 
 1889.	[port]		sunos: non blocking i/o support. [RT #14951]
 
 1888.	[func]		Support for IPSECKEY rdata type. [RT #14967]
 
 1887.	[bug]		The cache could delete expired records too fast for
 			clients with a virtual time in the past. [RT #14991]
 
 1886.	[bug]		fctx_create() could return success even though it
 			failed. [RT #14993]
 
 1885.	[func]		dig: report the number of extra bytes still left in
 			the packet after processing all the records.
 
 1884.	[cleanup]	dighost.c: move external declarations into <dig/dig.h>.
 
 1883.	[bug]		dnssec-signzone, dnssec-keygen: handle negative debug
 			levels. [RT #14962]
 
 1882.	[func]		Limit the number of recursive clients that can be
 			waiting for a single query (<qname,qtype,qclass>) to
 			resolve.  New options clients-per-query and
 			max-clients-per-query.
 
 1881.	[func]		Add a system test for named-checkconf. [RT #14931]
 
 1880.	[func]		The lame cache is now done on a <qname,qclass,qtype>
 			basis as some servers only appear to be lame for
 			certain query types.  [RT #14916]
 
 1879.	[func]		"USE INTERNAL MALLOC" is now runtime selectable.
 			[RT #14892]
 
 1878.	[func]		Detect duplicates of UDP queries we are recursing on
 			and drop them.  New stats category "duplicate".
 			[RT #2471]
 
 1877.	[bug]		Fix unreasonably low quantum on call to
 			dns_rbt_destroy2().  Remove unnecessary unhash_node()
 			call. [RT #14919]
 
 1876.	[func]		Additional memory debugging support to track size
 			and mctx arguments. [RT #14814]
 
 1875.	[bug]		process_dhtkey() was using the wrong memory context
 			to free some memory. [RT #14890]
 
 1874.	[port]		sunos: portability fixes. [RT #14814]
 
 1873.	[port]		win32: isc__errno2result() now reports its caller.
 			[RT #13753]
 
 1872.	[port]		win32: Handle ERROR_NETNAME_DELETED.  [RT #13753]
 
 1871.	[placeholder]
 
 1870.	[func]		Added framework for handling multiple EDNS versions.
 			[RT #14873]
 
 1869.	[func]		dig can now specify the EDNS version when making
 			a query. [RT #14873]
 
 1868.	[func]		edns-udp-size can now be overridden on a per
 			server basis. [RT #14851]
 
 1867.	[bug]		It was possible to trigger a INSIST in
 			dlv_validatezonekey(). [RT #14846]
 
 1866.	[bug]		resolv.conf parse errors were being ignored by
 			dig/host/nslookup. [RT #14841]
 
 1865.	[bug]		Silently ignore nameservers in /etc/resolv.conf with
 			bad addresses. [RT #14841]
 
 1864.	[bug]		Don't try the alternative transfer source if you
 			got a answer / transfer with the main source
 			address. [RT #14802]
 
 1863.	[bug]		rrset-order "fixed" error messages not complete.
 
 1862.	[func]		Add additional zone data constancy checks.
 			named-checkzone has extended checking of NS, MX and
 			SRV record and the hosts they reference.
 			named has extended post zone load checks.
 			New zone options: check-mx and integrity-check.
 			[RT #4940]
 
 1861.	[bug]		dig could trigger a INSIST on certain malformed
 			responses. [RT #14801]
 
 1860.	[port]		solaris 2.8: hack_shutup_pthreadmutexinit was
 			incorrectly set. [RT #14775]
 
 1859.	[func]		Add support for CH A record. [RT #14695]
 
 1858.	[bug]		The flush-zones-on-shutdown option wasn't being
 			parsed. [RT #14686]
 
 1857.	[bug]		named could trigger a INSIST() if reconfigured /
 			reloaded too fast.  [RT #14673]
 
 1856.	[doc]		Switch Docbook toolchain from DSSSL to XSL.
 			[RT #11398]
 
 1855.	[bug]		ixfr-from-differences was failing to detect changes
 			of ttl due to dns_diff_subtract() was ignoring the ttl
 			of records.  [RT #14616]
 
 1854.	[bug]		lwres also needs to know the print format for
 			(long long).  [RT #13754]
 
 1853.	[bug]		Rework how DLV interacts with proveunsecure().
 			[RT #13605]
 
 1852.	[cleanup]	Remove last vestiges of dnssec-signkey and
 			dnssec-makekeyset (removed from Makefile years ago).
 
 1851.	[doc]		Doxygen comment markup. [RT #11398]
 
 1850.	[bug]		Memory leak in lwres_getipnodebyaddr(). [RT #14591]
 
 1849.	[doc]		All forms of the man pages (docbook, man, html) should
 			have consistent copyright dates.
 
 1848.	[bug]		Improve SMF integration. [RT #13238]
 
 1847.	[bug]		isc_ondestroy_init() is called too late in
 			dns_rbtdb_create()/dns_rbtdb64_create().
 			[RT #13661]
 
 1846.	[contrib]	query-loc-0.3.0 from Stephane Bortzmeyer
 			<bortzmeyer@nic.fr>.
 
 1845.	[bug]		Improve error reporting to distinguish between
 			accept()/fcntl() and socket()/fcntl() errors.
 			[RT #13745]
 
 1844.	[bug]		inet_pton() accepted more that 4 hexadecimal digits
 			for each 16 bit piece of the IPv6 address.  The text
 			representation of a IPv6 address has been tightened
 			to disallow this (draft-ietf-ipv6-addr-arch-v4-02.txt).
 			[RT #5662]
 
 1843.	[cleanup]	CINCLUDES takes precedence over CFLAGS.  This helps
 			when CFLAGS contains "-I /usr/local/include"
 			resulting in old header files being used.
 
 1842.	[port]		cmsg_len() could produce incorrect results on
 			some platform. [RT #13744]
 
 1841.	[bug]		"dig +nssearch" now makes a recursive query to
 			find the list of nameservers to query. [RT #13694]
 
 1840.	[func]		dnssec-signzone can now randomize signature end times
 			(dnssec-signzone -j jitter). [RT #13609]
 
 1839.	[bug]		<isc/hash.h> was not being installed.
 
 1838.	[cleanup]	Don't allow Linux capabilities to be inherited.
 			[RT #13707]
 
 1837.	[bug]		Compile time option ISC_FACILITY was not effective
 			for 'named -u <user>'.  [RT #13714]
 
 1836.	[cleanup]	Silence compiler warnings in hash_test.c.
 
 1835.	[bug]		Update dnssec-signzone's usage message. [RT #13657]
 
 1834.	[bug]		Bad memset in rdata_test.c. [RT #13658]
 
 1833.	[bug]		Race condition in isc_mutex_lock_profile(). [RT #13660]
 
 1832.	[bug]		named fails to return BADKEY on unknown TSIG algorithm.
 			[RT #13620]
 
 1831.	[doc]		Update named-checkzone documentation. [RT #13604]
 
 1830.	[bug]		adb lame cache has sence of test reversed. [RT #13600]
 
 1829.	[bug]		win32: "pid-file none;" broken. [RT #13563]
 
 1828.	[bug]		isc_rwlock_init() failed to properly cleanup if it
 			encountered a error. [RT #13549]
 
 1827.	[bug]		host: update usage message for '-a'. [RT #37116]
 
 1826.	[bug]		Missing DESTROYLOCK() in isc_mem_createx() on out
 			of memory error. [RT #13537]
 
 1825.	[bug]		Missing UNLOCK() on out of memory error from in
 			rbtdb.c:subtractrdataset(). [RT #13519]
 
 1824.	[bug]		Memory leak on dns_zone_setdbtype() failure.
 			[RT #13510]
 
 1823.	[bug]		Wrong macro used to check for point to point interface.
 			[RT #13418]
 
 1822.	[bug]		check-names test for RT was reversed. [RT #13382]
 
 1821.	[placeholder]
 
 1820.	[bug]		Gracefully handle acl loops. [RT #13659]
 
 1819.	[bug]		The validator needed to check both the algorithm and
 			digest types of the DS to determine if it could be
 			used to introduce a secure zone. [RT #13593]
 
 1818.	[bug]		'named-checkconf -z' triggered an INSIST. [RT #13599]
 
 1817.	[func]		Add support for additional zone file formats for
 			improving loading performance.  The masterfile-format
 			option in named.conf can be used to specify a
 			non-default format.  A separate command
 			named-compilezone was provided to generate zone files
 			in the new format.  Additionally, the -I and -O options
 			for dnssec-signzone specify the input and output
 			formats.
 
 1816.	[port]		UnixWare: failed to compile lib/isc/unix/net.c.
 			[RT #13597]
 
 1815.	[bug]		nsupdate triggered a REQUIRE if the server was set
 			without also setting the zone and it encountered
 			a CNAME and was using TSIG.  [RT #13086]
 
 1814.	[func]		UNIX domain controls are now supported.
 
 1813.	[func]		Restructured the data locking framework using
 			architecture dependent atomic operations (when
 			available), improving response performance on
 			multi-processor machines significantly.
 			x86, x86_64, alpha, powerpc, and mips are currently
 			supported.
 
 1812.	[port]		win32: IN6_IS_ADDR_UNSPECIFIED macro is incorrect.
 			[RT #13453]
 
 1811.	[func]		Preserve the case of domain names in rdata during
 			zone transfers. [RT #13547]
 
 1810.	[bug]		configure, lib/bind/configure make different default
 			decisions about whether to do a threaded build.
 			[RT #13212]
 
 1809.	[bug]		"make distclean" failed for libbind if the platform
 			is not supported.
 
 1808.	[bug]		zone.c:notify_zone() contained a race condition,
 			zone->db could change underneath it.  [RT #13511]
 
 1807.	[bug]		When forwarding (forward only) set the active domain
 			from the forward zone name. [RT #13526]
 
 1806.	[bug]		The resolver returned the wrong result when a CNAME /
 			DNAME was encountered when fetching glue from a
 			secure namespace. [RT #13501]
 
 1805.	[bug]		Pending status was not being cleared when DLV was
 			active. [RT #13501]
 
 1804.	[bug]		Ensure that if we are queried for glue that it fits
 			in the additional section or TC is set to tell the
 			client to retry using TCP. [RT #10114]
 
 1803.	[bug]		dnssec-signzone sometimes failed to remove old
 			RRSIGs. [RT #13483]
 
 1802.	[bug]		Handle connection resets better. [RT #11280]
 
 1801.	[func]		Report differences between hints and real NS rrset
 			and associated address records.
 
 1800.	[bug]		Changes #1719 allowed a INSIST to be triggered.
 			[RT #13428]
 
 1799.	[bug]		'rndc flushname' failed to flush negative cache
 			entries. [RT #13438]
 
 1798.	[func]		The server syntax has been extended to support a
 			range of servers.  [RT #11132]
 
 1797.	[func]		named-checkconf now check acls to verify that they
 			only refer to existing acls. [RT #13101]
 
 1796.	[func]		"rndc freeze/thaw" now freezes/thaws all zones.
 
 1795.	[bug]		"rndc dumpdb" was not fully documented.  Minor
 			formating issues with "rndc dumpdb -all".  [RT #13396]
 
 1794.	[func]		Named and named-checkzone can now both check for
 			non-terminal wildcard records.
 
 1793.	[func]		Extend adjusting TTL warning messages. [RT #13378]
 
 1792.	[func]		New zone option "notify-delay".  Specify a minimum
 			delay between sets of NOTIFY messages.
 
 1791.	[bug]		'host -t a' still printed out AAAA and MX records.
 			[RT #13230]
 
 1790.	[cleanup]	Move lib/dns/sec/dst up into lib/dns.  This should
 			allow parallel make to succeed.
 
 1789.	[bug]		Prerequisite test for tkey and dnssec could fail
 			with "configure --with-libtool".
 
 1788.	[bug]		libbind9.la/libbind9.so needs to link against
 			libisccfg.la/libisccfg.so.
 
 1787.	[port]		HPUX: both "cc" and "gcc" need -Wl,+vnocompatwarnings.
 
 1786.	[port]		AIX: libt_api needs to be taught to look for
 			T_testlist in the main executable (--with-libtool).
 			[RT #13239]
 
 1785.	[bug]		libbind9.la/libbind9.so needs to link against
 			libisc.la/libisc.so.
 
 1784.	[cleanup]	"libtool -allow-undefined" is the default.
 			Leave hooks in configure to allow it to be set
 			if needed in the future.
 
 1783.	[cleanup]	We only need one copy of libtool.m4, ltmain.sh in the
 			source tree.
 
 1782.	[port]		OSX: --with-libtool + --enable-libbind broke on
 			__evOptMonoTime.  [RT #13219]
 
 1781.	[port]		FreeBSD 5.3: set PTHREAD_SCOPE_SYSTEM. [RT #12810]
 
 1780.	[bug]		Update libtool to 1.5.10.
 
 1779.	[port]		OSF 5.1: libtool didn't handle -pthread correctly.
 
 1778.	[port]		HUX 11.11: fix broken IN6ADDR_ANY_INIT and
 			IN6ADDR_LOOPBACK_INIT macros.
 
 1777.	[port]		OSF 5.1: fix broken IN6ADDR_ANY_INIT and
 			IN6ADDR_LOOPBACK_INIT macros.
 
 1776.	[port]		Solaris 2.9: fix broken IN6ADDR_ANY_INIT and
 			IN6ADDR_LOOPBACK_INIT macros.
 
 1775.	[bug]		Only compile getnetent_r.c when threaded. [RT #13205]
 
 1774.	[port]		Aix: Silence compiler warnings / build failures.
 			[RT #13154]
 
 1773.	[bug]		Fast retry on host / net unreachable. [RT #13153]
 
 1772.	[placeholder]
 
 1771.	[placeholder]
 
 1770.	[bug]		named-checkconf failed to report missing a missing
 			file clause for rbt{64} master/hint zones. [RT #13009]
 
 1769.	[port]		win32: change compiler flags /MTd ==> /MDd,
 			/MT ==> /MD.
 
 1768.	[bug]		nsecnoexistnodata() could be called with a non-NSEC
 			rdataset. [RT #12907]
 
 1767.	[port]		Builds on IPv6 platforms without IPv6 Advanced API
 			support for (struct in6_pktinfo) failed.  [RT #13077]
 
 1766.	[bug]		Update the master file timestamp on successful refresh
 			as well as the journal's timestamp. [RT #13062]
 
 1765.	[bug]		configure --with-openssl=auto failed. [RT #12937]
 
 1764.	[bug]		dns_zone_replacedb failed to emit a error message
 			if there was no SOA record in the replacement db.
 			[RT #13016]
 
 1763.	[func]		Perform sanity checks on NS records which refer to
 			'in zone' names. [RT #13002]
 
 1762.	[bug]		isc_interfaceiter_create() could return ISC_R_SUCCESS
 			even when it failed. [RT #12995]
 
 1761.	[bug]		'rndc dumpdb' didn't report unassociated entries.
 			[RT #12971]
 
 1760.	[bug]		Host / net unreachable was not penalising rtt
 			estimates. [RT #12970]
 
 1759.	[bug]		Named failed to startup if the OS supported IPv6
 			but had no IPv6 interfaces configured. [RT #12942]
 
 1758.	[func]		Don't send notify messages to self. [RT #12933]
 
 1757.	[func]		host now can turn on memory debugging flags with '-m'.
 
 1756.	[func]		named-checkconf now checks the logging configuration.
 			[RT #12352]
 
 1755.	[func]		allow-update is now settable at the options / view
 			level. [RT #6636]
 
 1754.	[bug]		We weren't always attempting to query the parent
 			server for the DS records at the zone cut.
 			[RT #12774]
 
 1753.	[bug]		Don't serve a slave zone which has no NS records.
 			[RT #12894]
 
 1752.	[port]		Move isc_app_start() to after ns_os_daemonise()
 			as some fork() implementations unblock the signals
 			that are blocked by isc_app_start(). [RT #12810]
 
 1751.	[bug]		--enable-getifaddrs failed under linux. [RT #12867]
 
 1750.	[port]		lib/bind/make/rules.in:subdirs was not bash friendly.
 			[RT #12864]
 
 1749.	[bug]		'check-names response ignore;' failed to ignore.
 			[RT #12866]
 
 1748.	[func]		dig now returns the byte count for axfr/ixfr.
 
 1747.	[bug]		BIND 8 compatibility: named/named-checkconf failed
 			to parse "host-statistics-max" in named.conf.
 
 1746.	[func]		Make public the function to read a key file,
 			dst_key_read_public(). [RT #12450]
 
 1745.	[bug]		Dig/host/nslookup accept replies from link locals
 			regardless of scope if no scope was specified when
 			query was sent. [RT #12745]
 
 1744.	[bug]		If tuple2msgname() failed to convert a tuple to
 			a name a REQUIRE could be triggered. [RT #12796]
 
 1743.	[bug]		If isc_taskmgr_create() was not able to create the
 			requested number of worker threads then destruction
 			of the manager would trigger an INSIST() failure.
 			[RT #12790]
 
 1742.	[bug]		Deleting all records at a node then adding a
 			previously existing record, in a single UPDATE
 			transaction, failed to leave / regenerate the
 			associated RRSIG records. [RT #12788]
 
 1741.	[bug]		Deleting all records at a node in a secure zone
 			using a update-policy grant failed. [RT #12787]
 
 1740.	[bug]		Replace rbt's hash algorithm as it performed badly
 			with certain zones. [RT #12729]
 
 			NOTE: a hash context now needs to be established
 			via isc_hash_create() if the application was not
 			already doing this.
 
 1739.	[bug]		dns_rbt_deletetree() could incorrectly return
 			ISC_R_QUOTA.  [RT #12695]
 
 1738.	[bug]		Enable overrun checking by default. [RT #12695]
 
 1737.	[bug]		named failed if more than 16 masters were specified.
 			[RT #12627]
 
 1736.	[bug]		dst_key_fromnamedfile() could fail to read a
 			public key. [RT #12687]
 
 1735.	[bug]		'dig +sigtrace' could die with a REQUIRE failure.
 			[RE #12688]
 
 1734.	[cleanup]	'rndc-confgen -a -t' remove extra '/' in path.
 			[RT #12588]
 
 1733.	[bug]		Return non-zero exit status on initial load failure.
 			[RT #12658]
 
 1732.	[bug]		'rrset-order name "*"' wasn't being applied to ".".
 			[RT #12467]
 
 1731.	[port]		darwin: relax version test in ifconfig.sh.
 			[RT #12581]
 
 1730.	[port]		Determine the length type used by the socket API.
 			[RT #12581]
 
 1729.	[func]		Improve check-names error messages.
 
 1728.	[doc]		Update check-names documentation.
 
 1727.	[bug]		named-checkzone: check-names support didn't match
 			documentation.
 
 1726.	[port]		aix5: add support for aix5.
 
 1725.	[port]		linux: update error message on interaction of threads,
 			capabilities and setuid support (named -u). [RT #12541]
 
 1724.	[bug]		Look for DNSKEY records with "dig +sigtrace".
 			[RT #12557]
 
 1723.	[cleanup]	Silence compiler warnings from t_tasks.c. [RT #12493]
 
 1722.	[bug]		Don't commit the journal on malformed ixfr streams.
 			[RT #12519]
 
 1721.	[bug]		Error message from the journal processing were not
 			always identifying the relevant journal. [RT #12519]
 
 1720.	[bug]		'dig +chase' did not terminate on a RFC 2308 Type 1
 			negative response. [RT #12506]
 
 1719.	[bug]		named was not correctly caching a RFC 2308 Type 1
 			negative response. [RT #12506]
 
 1718.	[bug]		nsupdate was not handling RFC 2308 Type 3 negative
 			responses when looking for the zone / master server.
 			[RT #12506]
 
 1717.	[port]		solaris: ifconfig.sh did not support Solaris 10.
 			"ifconfig.sh down" didn't work for Solaris 9.
 
 1716.	[doc]		named.conf(5) was being installed in the wrong
 			location.  [RT #12441]
 
 1715.	[func]		'dig +trace' now randomly selects the next servers
 			to try.  Report if there is a bad delegation.
 
 1714.	[bug]		dig/host/nslookup were only trying the first
 			address when a nameserver was specified by name.
 			[RT #12286]
 
 1713.	[port]		linux: extend capset failure message to say:
 			please ensure that the capset kernel module is
 			loaded.  see insmod(8)
 
 1712.	[bug]		Missing FULLCHECK for "trusted-key" in dig.
 
 1711.	[func]		'rndc unfreeze' has been deprecated by 'rndc thaw'.
 
 1710.	[func]		'rndc notify zone [class [view]]' resend the NOTIFY
 			messages for the specified zone. [RT #9479]
 
 1709.	[port]		solaris: add SMF support from Sun.
 
 1708.	[cleanup]	Replaced dns_fullname_hash() with dns_name_fullhash()
 			for conformance to the name space convention.  Binary
 			backward compatibility to the old function name is
 			provided. [RT #12376]
 
 1707.	[contrib]	sdb/ldap updated to version 1.0-beta.
 
 1706.	[bug]		'rndc stop' failed to cause zones to be flushed
 			sometimes. [RT #12328]
 
 1705.	[func]		Allow the journal's name to be changed via named.conf.
 
 1704.	[port]		lwres needed a snprintf() implementation for
 			platforms without snprintf().  Add missing
 			"#include <isc/print.h>". [RT #12321]
 
 1703.	[bug]		named would loop sending NOTIFY messages when it
 			failed to receive a response. [RT #12322]
 
 1702.	[bug]		also-notify should not be applied to built in zones.
 			[RT #12323]
 
 1701.	[doc]		A minimal named.conf man page.
 
 1700.	[func]		nslookup is no longer to be treated as deprecated.
 			Remove "deprecated" warning message.  Add man page.
 
 1699.	[bug]		dnssec-signzone can generate "not exact" errors
 			when resigning. [RT #12281]
 
 1698.	[doc]		Use reserved IPv6 documentation prefix.
 
 1697.	[bug]		xxx-source{,-v6} was not effective when it
 			specified one of listening addresses and a
 			different port than the listening port. [RT #12257]
 
 1696.	[bug]		dnssec-signzone failed to clean out nodes that
 			consisted of only NSEC and RRSIG records.
 			[RT #12154]
 
 1695.	[bug]		DS records when forwarding require special handling.
 			[RT #12133]
 
 1694.	[bug]		Report if the builtin views of "_default" / "_bind"
 			are defined in named.conf. [RT #12023]
 
 1693.	[bug]		max-journal-size was not effective for master zones
 			with ixfr-from-differences set. [RT #12024]
 
 1692.	[bug]		Don't set -I, -L and -R flags when libcrypto is in
 			/usr/lib. [RT #11971]
 
 1691.	[bug]		sdb's attachversion was not complete. [RT #11990]
 
 1690.	[bug]		Delay detaching view from the client until UPDATE
 			processing completes when shutting down. [RT #11714]
 
 1689.	[bug]		DNS_NAME_TOREGION() and DNS_NAME_SPLIT() macros
 			contained gratuitous semicolons. [RT #11707]
 
 1688.	[bug]		LDFLAGS was not supported.
 
 1687.	[bug]		Race condition in dispatch. [RT #10272]
 
 1686.	[bug]		Named sent a extraneous NOTIFY when it received a
 			redundant UPDATE request. [RT #11943]
 
 1685.	[bug]		Change #1679 loop tests weren't quite right.
 
 1684.	[func]		ixfr-from-differences now takes master and slave in
 			addition to yes and no at the options and view levels.
 
 1683.	[bug]		dig +sigchase could leak memory. [RT #11445]
 
 1682.	[port]		Update configure test for (long long) printf format.
 			[RT #5066]
 
 1681.	[bug]		Only set SO_REUSEADDR when a port is specified in
 			isc_socket_bind(). [RT #11742]
 
 1680.	[func]		rndc: the source address can now be specified.
 
 1679.	[bug]		When there was a single nameserver with multiple
 			addresses for a zone not all addresses were tried.
 			[RT #11706]
 
 1678.	[bug]		RRSIG should use TYPEXXXXX for unknown types.
 
 1677.	[bug]		dig: +aaonly didn't work, +aaflag undocumented.
 
 1676.	[func]		New option "allow-query-cache".  This lets
 			allow-query be used to specify the default zone
 			access level rather than having to have every
 			zone override the global value.  allow-query-cache
 			can be set at both the options and view levels.
 			If allow-query-cache is not set allow-query applies.
 
 1675.	[bug]		named would sometimes add extra NSEC records to
 			the authority section.
 
 1674.	[port]		linux: increase buffer size used to scan
 			/proc/net/if_inet6.
 
 1673.	[port]		linux: issue a error messages if IPv6 interface
 			scans fails.
 
 1672.	[cleanup]	Tests which only function in a threaded build
 			now return R:THREADONLY (rather than R:UNTESTED)
 			in a non-threaded build.
 
 1671.	[contrib]	queryperf: add NAPTR to the list of known types.
 
 1670.	[func]		Log UPDATE requests to slave zones without an acl as
 			"disabled" at debug level 3. [RT #11657]
 
 1669.	[placeholder]
 
 1668.	[bug]		DIG_SIGCHASE was making bin/dig/host dump core.
 
 1667.	[port]		linux: not all versions have IF_NAMESIZE.
 
 1666.	[bug]		The optional port on hostnames in dual-stack-servers
 			was being ignored.
 
 1665.	[func]		rndc now allows addresses to be set in the
 			server clauses.
 
 1664.	[bug]		nsupdate needed KEY for SIG(0), not DNSKEY.
 
 1663.	[func]		Look for OpenSSL by default.
 
 1662.	[bug]		Change #1658 failed to change one use of 'type'
 			to 'keytype'.
 
 1661.	[bug]		Restore dns_name_concatenate() call in
 			adb.c:set_target().  [RT #11582]
 
 1660.	[bug]		win32: connection_reset_fix() was being called
 			unconditionally.  [RT #11595]
 
 1659.	[cleanup]	Cleanup some messages that were referring to KEY vs
 			DNSKEY, NXT vs NSEC and SIG vs RRSIG.
 
 1658.	[func]		Update dnssec-keygen to default to KEY for HMAC-MD5
 			and DH.  Tighten which options apply to KEY and
 			DNSKEY records.
 
 1657.	[doc]		ARM: document query log output.
 
 1656.	[doc]		Update DNSSEC description in ARM to cover DS, NSEC
 			DNSKEY and RRSIG.  [RT #11542]
 
 1655.	[bug]		Logging multiple versions w/o a size was broken.
 			[RT #11446]
 
 1654.	[bug]		isc_result_totext() contained array bounds read
 			error.
 
 1653.	[func]		Add key type checking to dst_key_fromfilename(),
 			DST_TYPE_KEY should be used to read TSIG, TKEY and
 			SIG(0) keys.
 
 1652.	[bug]		TKEY still uses KEY.
 
 1651.	[bug]		dig: process multiple dash options.
 
 1650.	[bug]		dig, nslookup: flush standard out after each command.
 
 1649.	[bug]		Silence "unexpected non-minimal diff" message.
 			[RT #11206]
 
 1648.	[func]		Update dnssec-lookaside named.conf syntax to support
 			multiple dnssec-lookaside namespaces (not yet
 			implemented).
 
 1647.	[bug]		It was possible trigger a INSIST when chasing a DS
 			record that required walking back over a empty node.
 			[RT #11445]
 
 1646.	[bug]		win32: logging file versions didn't work with
 			non-UNC filenames.  [RT #11486]
 
 1645.	[bug]		named could trigger a REQUIRE failure if multiple
 			masters with keys are specified.
 
 1644.	[bug]		Update the journal modification time after a
 			successful refresh query. [RT #11436]
 
 1643.	[bug]		dns_db_closeversion() could leak memory / node
 			references. [RT #11163]
 
 1642.	[port]		Support OpenSSL implementations which don't have
 			DSA support. [RT #11360]
 
 1641.	[bug]		Update the check-names description in ARM. [RT #11389]
 
 1640.	[bug]		win32: isc_socket_cancel(ISC_SOCKCANCEL_ACCEPT) was
 			incorrectly closing the socket.  [RT #11291]
 
 1639.	[func]		Initial dlv system test.
 
 1638.	[bug]		"ixfr-from-differences" could generate a REQUIRE
 			failure if the journal open failed. [RT #11347]
 
 1637.	[bug]		Node reference leak on error in addnoqname().
 
 1636.	[bug]		The dump done callback could get ISC_R_SUCCESS even if
 			a error had occurred.  The database version no longer
 			matched the version of the database that was dumped.
 
 1635.	[bug]		Memory leak on error in query_addds().
 
 1634.	[bug]		named didn't supply a useful error message when it
 			detected duplicate views.  [RT #11208]
 
 1633.	[bug]		named should return NOTIMP to update requests to a
 			slaves without a allow-update-forwarding acl specified.
 			[RT #11331]
 
 1632.	[bug]		nsupdate failed to send prerequisite only UPDATE
 			messages. [RT #11288]
 
 1631.	[bug]		dns_journal_compact() could sometimes corrupt the
 			journal. [RT #11124]
 
 1630.	[contrib]	queryperf: add support for IPv6 transport.
 
 1629.	[func]		dig now supports IPv6 scoped addresses with the
 			extended format in the local-server part. [RT #8753]
 
 1628.	[bug]		Typo in Compaq Trucluster support. [RT #11264]
 
 1627.	[bug]		win32: sockets were not being closed when the
 			last external reference was removed. [RT #11179]
 
 1626.	[bug]		--enable-getifaddrs was broken. [RT #11259]
 
 1625.	[bug]		named failed to load/transfer RFC2535 signed zones
 			which contained CNAMES. [RT #11237]
 
 1624.	[bug]		zonemgr_putio() call should be locked. [RT #11163]
 
 1623.	[bug]		A serial number of zero was being displayed in the
 			"sending notifies" log message when also-notify was
 			used. [RT #11177]
 
 1622.	[func]		probe the system to see if IPV6_(RECV)PKTINFO is
 			available, and suppress wildcard binding if not.
 
 1621.	[bug]		match-destinations did not work for IPv6 TCP queries.
 			[RT #11156]
 
 1620.	[func]		When loading a zone report if it is signed. [RT #11149]
 
 1619.	[bug]		Missing ISC_LIST_UNLINK in end_reserved_dispatches().
 			[RT #11118]
 
 1618.	[bug]		Fencepost errors in dns_name_ishostname() and
 			dns_name_ismailbox() could trigger a INSIST().
 
 1617.	[port]		win32: VC++ 6.0 support.
 
 1616.	[compat]	Ensure that named's version is visible in the core
 			dump. [RT #11127]
 
 1615.	[port]		Define ISC_SOCKADDR_LEN_T based on _BSD_SOCKLEN_T_ if
 			it is defined.
 
 1614.	[port]		win32: silence resource limit messages. [RT #11101]
 
 1613.	[bug]		Builds would fail on machines w/o a if_nametoindex().
 			Missing #ifdef ISC_PLATFORM_HAVEIFNAMETOINDEX/#endif.
 			[RT #11119]
 
 1612.	[bug]		check-names at the option/view level could trigger
 			an INSIST. [RT #11116]
 
 1611.	[bug]		solaris: IPv6 interface scanning failed to cope with
 			no active IPv6 interfaces.
 
 1610.	[bug]		On dual stack machines "dig -b" failed to set the
 			address type to be looked up with "@server".
 			[RT #11069]
 
 1609.	[func]		dig now has support to chase DNSSEC signature chains.
 			Requires -DDIG_SIGCHASE=1 to be set in STD_CDEFINES.
 
 			DNSSEC validation code in dig coded by Olivier Courtay
 			(olivier.courtay@irisa.fr) for the IDsA project
 			(http://idsa.irisa.fr).
 
 1608.	[func]		dig and host now accept -4/-6 to select IP transport
 			to use when making queries.
 
 1607.	[bug]		dig, host and nslookup were still using random()
 			to generate query ids. [RT #11013]
 
 1606.	[bug]		DLV insecurity proof was failing.
 
 1605.	[func]		New dns_db_find() option DNS_DBFIND_COVERINGNSEC.
 
 1604.	[bug]		A xfrout_ctx_create() failure would result in
 			xfrout_ctx_destroy() being called with a
 			partially initialized structure.
 
 1603.	[bug]		nsupdate: set interactive based on isatty().
 			[RT #10929]
 
 1602.	[bug]		Logging to a file failed unless a size was specified.
 			[RT #10925]
 
 1601.	[bug]		Silence spurious warning 'both "recursion no;" and
 			"allow-recursion" active' warning from view "_bind".
 			[RT #10920]
 
 1600.	[bug]		Duplicate zone pre-load checks were not case
 			insensitive.
 
 1599.	[bug]		Fix memory leak on error path when checking named.conf.
 
 1598.	[func]		Specify that certain parts of the namespace must
 			be secure (dnssec-must-be-secure).
 
 1597.	[func]		Allow notify-source and query-source to be specified
 			on a per server basis similar to transfer-source.
 			[RT #6496]
 
 1596.	[func]		Accept 'notify-source' style syntax for query-source.
 
 1595.	[func]		New notify type 'master-only'.  Enable notify for
 			master zones only.
 
 1594.	[bug]		'rndc dumpdb' could prevent named from answering
 			queries while the dump was in progress.  [RT #10565]
 
 1593.	[bug]		rndc should return "unknown command" to unknown
 			commands. [RT #10642]
 
 1592.	[bug]		configure_view() could leak a dispatch. [RT #10675]
 
 1591.	[bug]		libbind: updated to BIND 8.4.5.
 
 1590.	[port]		netbsd: update thread support.
 
 1589.	[func]		DNSSEC lookaside validation.
 
 1588.	[bug]		win32: TCP sockets could become blocked. [RT #10115]
 
 1587.	[bug]		dns_message_settsigkey() failed to clear existing key.
 			[RT #10590]
 
 1586.	[func]		"check-names" is now implemented.
 
 1585.	[placeholder]
 
 1584.	[bug]		"make test" failed with a read only source tree.
 			[RT #10461]
 
 1583.	[bug]		Records add via UPDATE failed to get the correct trust
 			level. [RT #10452]
 
 1582.	[bug]		rrset-order failed to work on RRsets with more
 			than 32 elements. [RT #10381]
 
 1581.	[func]		Disable DNSSEC support by default.  To enable
 			DNSSEC specify "dnssec-enable yes;" in named.conf.
 
 1580.	[bug]		Zone destruction on final detach takes a long time.
 			[RT #3746]
 
 1579.	[bug]		Multiple task managers could not be created.
 
 1578.	[bug]		Don't use CLASS E IPv4 addresses when resolving.
 			[RT #10346]
 
 1577.	[bug]		Use isc_uint32_t in ultrasparc optimizer bug
 			workaround code. [RT #10331]
 
 1576.	[bug]		Race condition in dns_dispatch_addresponse().
 			[RT #10272]
 
 1575.	[func]		Log TSIG name on TSIG verify failure. [RT #4404]
 
 1574.	[bug]		Don't attempt to open the controls socket(s) when
 			running tests. [RT #9091]
 
 1573.	[port]		linux: update to libtool 1.5.2 so that
 			"make install DESTDIR=/xx" works with
 			"configure --with-libtool".  [RT #9941]
 
 1572.	[bug]		nsupdate: sign the soa query to find the enclosing
 			zone if the server is specified. [RT #10148]
 
 1571.	[bug]		rbt:hash_node() could fail leaving the hash table
 			in an inconsistent state.  [RT #10208]
 
 1570.	[bug]		nsupdate failed to handle classes other than IN.
 			New keyword 'class' which sets the default class.
 			[RT #10202]
 
 1569.	[func]		nsupdate new command 'answer' which displays the
 			complete answer message to the last update.
 
 1568.	[bug]		nsupdate now reports that the update failed in
 			interactive mode. [RT #10236]
 
 1567.	[maint]		B.ROOT-SERVERS.NET is now 192.228.79.201.
 
 1566.	[port]		Support for the cmsg framework on Solaris and HP/UX.
 			This also solved the problem that match-destinations
 			for IPv6 addresses did not work on these systems.
 			[RT #10221]
 
 1565.	[bug]		CD flag should be copied to outgoing queries unless
 			the query is under a secure entry point in which case
 			CD should be set.
 
 1564.	[func]		Attempt to provide a fallback entropy source to be
 			used if named is running chrooted and named is unable
 			to open entropy source within the chroot area.
 			[RT #10133]
 
 1563.	[bug]		Gracefully fail when unable to obtain neither an IPv4
 			nor an IPv6 dispatch. [RT #10230]
 
 1562.	[bug]		isc_socket_create() and isc_socket_accept() could
 			leak memory under error conditions. [RT #10230]
 
 1561.	[bug]		It was possible to release the same name twice if
 			named ran out of memory. [RT #10197]
 
 1560.	[port]		FreeBSD: work around FreeBSD 5.2 mapping EAI_NODATA
 			and EAI_NONAME to the same value.
 
 1559.	[port]		named should ignore SIGFSZ.
 
 1558.	[func]		New DNSSEC 'disable-algorithms'.  Support entry into
 			child zones for which we don't have a supported
 			algorithm.  Such child zones are treated as unsigned.
 
 1557.	[func]		Implement missing DNSSEC tests for
 			* NOQNAME proof with wildcard answers.
 			* NOWILDARD proof with NXDOMAIN.
 			Cache and return NOQNAME with wildcard answers.
 
 1556.	[bug]		nsupdate now treats all names as fully qualified.
 			[RT #6427]
 
 1555.	[func]		'rrset-order cyclic' no longer has a random starting
 			point per query. [RT #7572]
 
 1554.	[bug]		dig, host, nslookup failed when no nameservers
 			were specified in /etc/resolv.conf. [RT #8232]
 
 1553.	[bug]		The windows socket code could stop accepting
 			connections. [RT #10115]
 
 1552.	[bug]		Accept NOTIFY requests from mapped masters if
 			matched-mapped is set. [RT #10049]
 
 1551.	[port]		Open "/dev/null" before calling chroot().
 
 1550.	[port]		Call tzset(), if available, before calling chroot().
 
 1549.	[func]		named-checkzone can now write out the zone contents
 			in a easily parsable format (-D and -o).
 
 1548.	[bug]		When parsing APL records it was possible to silently
 			accept out of range ADDRESSFAMILY values. [RT #9979]
 
 1547.	[bug]		Named wasted memory recording duplicate lame zone
 			entries. [RT #9341]
 
 1546.	[bug]		We were rejecting valid secure CNAME to negative
 			answers.
 
 1545.	[bug]		It was possible to leak memory if named was unable to
 			bind to the specified transfer source and TSIG was
 			being used. [RT #10120]
 
 1544.	[bug]		Named would logged a single entry to a file despite it
 			being over the specified size limit.
 
 1543.	[bug]		Logging using "versions unlimited" did not work.
 
 1542.	[placeholder]
 
 1541.	[func]		NSEC now uses new bitmap format.
 
 1540.	[bug]		"rndc reload <dynamiczone>" was silently accepted.
 			[RT #8934]
 
 1539.	[bug]		Open UDP sockets for notify-source and transfer-source
 			that use reserved ports at startup. [RT #9475]
 
 1538.	[placeholder]	rt9997
 
 1537.	[func]		New option "querylog".  If set specify whether query
 			logging is to be enabled or disabled at startup.
 
 1536.	[bug]		Windows socket code failed to log a error description
 			when returning ISC_R_UNEXPECTED. [RT #9998]
 
 1535.	[placeholder]
 
 1534.	[bug]		Race condition when priming cache. [RT #9940]
 
 1533.	[func]		Warn if both "recursion no;" and "allow-recursion"
 			are active. [RT #4389]
 
 1532.	[port]		netbsd: the configure test for <sys/sysctl.h>
 			requires <sys/param.h>.
 
 1531.	[port]		AIX more libtool fixes.
 
 1530.	[bug]		It was possible to trigger a INSIST() failure if a
 			slave master file was removed at just the correct
 			moment. [RT #9462]
 
 1529.	[bug]		"notify explicit;" failed to log that NOTIFY messages
 			were being sent for the zone. [RT #9442]
 
 1528.	[cleanup]	Simplify some dns_name_ functions based on the
 			deprecation of bitstring labels.
 
 1527.	[cleanup]	Reduce the number of gettimeofday() calls without
 			losing necessary timer granularity.
 
 1526.	[func]		Implemented "additional section caching (or acache)",
 			an internal cache framework for additional section
 			content to improve response performance.  Several
 			configuration options were provided to control the
 			behavior.
 
 1525.	[bug]		dns_cache_create() could trigger a REQUIRE
 			failure in isc_mem_put() during error cleanup.
 			[RT #9360]
 
 1524.	[port]		AIX needs to be able to resolve all symbols when
 			creating shared libraries (--with-libtool).
 
 1523.	[bug]		Fix race condition in rbtdb. [RT #9189]
 
 1522.	[bug]		dns_db_findnode() relax the requirements on 'name'.
 			[RT #9286]
 
 1521.	[bug]		dns_view_createresolver() failed to check the
 			result from isc_mem_create(). [RT #9294]
 
 1520.	[protocol]	Add SSHFP (SSH Finger Print) type.
 
 1519.	[bug]		dnssec-signzone:nsec_setbit() computed the wrong
 			length of the new bitmap.
 
 1518.	[bug]		dns_nsec_buildrdata(), and hence dns_nsec_build(),
 			contained a off-by-one error when working out the
 			number of octets in the bitmap.
 
 1517.	[port]		Support for IPv6 interface scanning on HP/UX and
 			TrueUNIX 5.1.
 
 1516.	[func]		Roll the DNSSEC types to RRSIG, NSEC and DNSKEY.
 
 1515.	[func]		Allow transfer source to be set in a server statement.
 			[RT #6496]
 
 1514.	[bug]		named: isc_hash_destroy() was being called too early.
 			[RT #9160]
 
 1513.	[doc]		Add "US" to root-delegation-only exclude list.
 
 1512.	[bug]		Extend the delegation-only logging to return query
 			type, class and responding nameserver.
 
 1511.	[bug]		delegation-only was generating false positives
 			on negative answers from sub-zones.
 
 1510.	[func]		New view option "root-delegation-only".  Apply
 			delegation-only check to all TLDs and root.
 			Note there are some TLDs that are NOT delegation
 			only (e.g. DE, LV, US and MUSEUM) these can be excluded
 			from the checks by using exclude.
 
 			root-delegation-only exclude {
 				"DE"; "LV"; "US"; "MUSEUM";
 			};
 
 1509.	[bug]		Hint zones should accept delegation-only.  Forward
 			zone should not accept delegation-only.
 
 1508.	[bug]		Don't apply delegation-only checks to answers from
 			forwarders.
 
 1507.	[bug]		Handle BIND 8 style returns to NS queries to parents
 			when making delegation-only checks.
 
 1506.	[bug]		Wrong return type for dns_view_isdelegationonly().
 
 1505.	[bug]		Uninitialized rdataset in sdb. [RT #8750]
 
 1504.	[func]		New zone type "delegation-only".
 
 1503.	[port]		win32: install libeay32.dll outside of system32.
 
 1502.	[bug]		nsupdate: adjust timeouts for UPDATE requests over TCP.
 
 1501.	[func]		Allow TCP queue length to be specified via
 			named.conf, tcp-listen-queue.
 
 1500.	[bug]		host failed to lookup MX records.  Also look up
 			AAAA records.
 
 1499.	[bug]		isc_random need to be seeded better if arc4random()
 			is not used.
 
 1498.	[port]		bsdos: 5.x support.
 
 1497.	[placeholder]
 
 1496.	[port]		test for pthread_attr_setstacksize().
 
 1495.	[cleanup]	Replace hash functions with universal hash.
 
 1494.	[security]	Turn on RSA BLINDING as a precaution.
 
 1493.	[placeholder]
 
 1492.	[cleanup]	Preserve rwlock quota context when upgrading /
 			downgrading. [RT #5599]
 
 1491.	[bug]		dns_master_dump*() would produce extraneous $ORIGIN
 			lines. [RT #6206]
 
 1490.	[bug]		Accept reading state as well as working state in
 			ns_client_next(). [RT #6813]
 
 1489.	[compat]	Treat 'allow-update' on slave zones as a warning.
 			[RT #3469]
 
 1488.	[bug]		Don't override trust levels for glue addresses.
 			[RT #5764]
 
 1487.	[bug]		A REQUIRE() failure could be triggered if a zone was
 			queued for transfer and the zone was then removed.
 			[RT #6189]
 
 1486.	[bug]		isc_print_snprintf() '%%' consumed one too many format
 			characters. [RT #8230]
 
 1485.	[bug]		gen failed to handle high type values. [RT #6225]
 
 1484.	[bug]		The number of records reported after a AXFR was wrong.
 			[RT #6229]
 
 1483.	[bug]		dig axfr failed if the message id in the answer failed
 			to match that in the request.  Only the id in the first
 			message is required to match. [RT #8138]
 
 1482.	[bug]		named could fail to start if the kernel supports
 			IPv6 but no interfaces are configured.  Similarly
 			for IPv4. [RT #6229]
 
 1481.	[bug]		Refresh and stub queries failed to use masters keys
 			if specified. [RT #7391]
 
 1480.	[bug]		Provide replay protection for rndc commands.  Full
 			replay protection requires both rndc and named to
 			be updated.  Partial replay protection (limited
 			exposure after restart) is provided if just named
 			is updated.
 
 1479.	[bug]		cfg_create_tuple() failed to handle out of
 			memory cleanup.  parse_list() would leak memory
 			on syntax errors.
 
 1478.	[port]		ifconfig.sh didn't account for other virtual
 			interfaces.  It now takes a optional argument
 			to specify the first interface number. [RT #3907]
 
 1477.	[bug]		memory leak using stub zones and TSIG.
 
 1476.	[placeholder]
 
 1475.	[port]		Probe for old sprintf().
 
 1474.	[port]		Provide strtoul() and memmove() for platforms
 			without them.
 
 1473.	[bug]		create_map() and create_string() failed to handle out
 			of memory cleanup.  [RT #6813]
 
 1472.	[contrib]	idnkit-1.0 from JPNIC, replaces mdnkit.
 
 1471.	[bug]		libbind: updated to BIND 8.4.0.
 
 1470.	[bug]		Incorrect length passed to snprintf. [RT #5966]
 
 1469.	[func]		Log end of outgoing zone transfer at same level
 			as the start of transfer is logged. [RT #4441]
 
 1468.	[func]		Internal zones are no longer counted for
 			'rndc status'.  [RT #4706]
 
 1467.	[func]		$GENERATES now supports optional class and ttl.
 
 1466.	[bug]		lwresd configuration errors resulted in memory
 			and lock leaks.  [RT #5228]
 
 1465.	[bug]		isc_base64_decodestring() and isc_base64_tobuffer()
 			failed to check that trailing bits were zero allowing
 			some invalid base64 strings to be accepted.  [RT #5397]
 
 1464.	[bug]		Preserve "out of zone" data for outgoing zone
 			transfers. [RT #5192]
 
 1463.	[bug]		dns_rdata_from{wire,struct}() failed to catch bad
 			NXT bit maps. [RT #5577]
 
 1462.	[bug]		parse_sizeval() failed to check the token type.
 			[RT #5586]
 
 1461.	[bug]		Remove deadlock from rbtdb code. [RT #5599]
 
 1460.	[bug]		inet_pton() failed to reject certain malformed
 			IPv6 literals.
 
 1459.	[placeholder]
 
 1458.	[cleanup]	sprintf() -> snprintf().
 
 1457.	[port]		Provide strlcat() and strlcpy() for platforms without
 			them.
 
 1456.	[contrib]	gen-data-queryperf.py from Stephane Bortzmeyer.
 
 1455.	[bug]		<netaddr> missing from server grammar in
 			doc/misc/options. [RT #5616]
 
 1454.	[port]		Use getifaddrs() if available for interface scanning.
 			--disable-getifaddrs to override.  Glibc currently
 			has a getifaddrs() that does not support IPv6.
 			Use --enable-getifaddrs=glibc to force the use of
 			this version under linux machines.
 
 1453.	[doc]		ARM: $GENERATE example wasn't accurate. [RT #5298]
 
 1452.	[placeholder]
 
 1451.	[bug]		rndc-confgen didn't exit with a error code for all
 			failures. [RT #5209]
 
 1450.	[bug]		Fetching expired glue failed under certain
 			circumstances.  [RT #5124]
 
 1449.	[bug]		query_addbestns() didn't handle running out of memory
 			gracefully.
 
 1448.	[bug]		Handle empty wildcards labels.
 
 1447.	[bug]		We were casting (unsigned int) to and from (void *).
 			rdataset->private4 is now rdataset->privateuint4
 			to reflect a type change.
 
 1446.	[func]		Implemented undocumented alternate transfer sources
 			from BIND 8.  See use-alt-transfer-source,
 			alt-transfer-source and alt-transfer-source-v6.
 
 			SECURITY: use-alt-transfer-source is ENABLED unless
 			you are using views.  This may cause a security risk
 			resulting in accidental disclosure of wrong zone
 			content if the master supplying different source
 			content based on IP address.  If you are not certain
 			ISC recommends setting use-alt-transfer-source no;
 
 1445.	[bug]		DNS_ADBFIND_STARTATROOT broke stub zones.  This has
 			been replaced with DNS_ADBFIND_STARTATZONE which
 			causes the search to start using the closest zone.
 
 1444.	[func]		dns_view_findzonecut2() allows you to specify if the
 			cache should be searched for zone cuts.
 
 1443.	[func]		Masters lists can now be specified and referenced
 			in zone masters clauses and other masters lists.
 
 1442.	[func]		New functions for manipulating port lists:
 			dns_portlist_create(), dns_portlist_add(),
 			dns_portlist_remove(), dns_portlist_match(),
 			dns_portlist_attach() and dns_portlist_detach().
 
 1441.	[func]		It is now possible to tell dig to bind to a specific
 			source port.
 
 1440.	[func]		It is now possible to tell named to avoid using
 			certain source ports (avoid-v4-udp-ports,
 			avoid-v6-udp-ports).
 
 1439.	[bug]		Named could return NOERROR with certain NOTIFY
 			failures.  Return NOTAUTH if the NOTIFY zone is
 			not being served.
 
 1438.	[func]		Log TSIG (if any) when logging NOTIFY requests.
 
 1437.	[bug]		Leave space for stdio to work in. [RT #5033]
 
 1436.	[func]		dns_zonemgr_resumexfrs() can be used to restart
 			stalled transfers.
 
 1435.	[bug]		zmgr_resume_xfrs() was being called read locked
 			rather than write locked.  zmgr_resume_xfrs()
 			was not being called if the zone was being
 			shutdown.
 
 1434.	[bug]		"rndc reconfig" failed to initiate the initial
 			zone transfer of new slave zones.
 
 1433.	[bug]		named could trigger a REQUIRE failure if it could
 			not get a file descriptor when attempting to write
 			a master file. [RT #4347]
 
 1432.	[func]		The advertised EDNS UDP buffer size can now be set
 			via named.conf (edns-udp-size).
 
 1431.	[bug]		isc_print_snprintf() "%s" with precision could walk off
 			end of argument. [RT #5191]
 
 1430.	[port]		linux: IPv6 interface scanning support.
 
 1429.	[bug]		Prevent the cache getting locked to old servers.
 
 1428.	[placeholder]
 
 1427.	[bug]		Race condition in adb with threaded build.
 
 1426.	[placeholder]
 
 1425.	[port]		linux/libbind: define __USE_MISC when testing *_r()
 			function prototypes in netdb.h.  [RT #4921]
 
 1424.	[bug]		EDNS version not being correctly printed.
 
 1423.	[contrib]	queryperf: added A6 and SRV.
 
 1422.	[func]		Log name/type/class when denying a query.  [RT #4663]
 
 1421.	[func]		Differentiate updates that don't succeed due to
 			prerequisites (unsuccessful) vs other reasons
 			(failed).
 
 1420.	[port]		solaris: work around gcc optimizer bug.
 
 1419.	[port]		openbsd: use /dev/arandom. [RT #4950]
 
 1418.	[bug]		'rndc reconfig' did not cause new slaves to load.
 
 1417.	[func]		ID.SERVER/CHAOS is now a built in zone.
 			See "server-id" for how to configure.
 
 1416.	[bug]		Empty node should return NOERROR NODATA, not NXDOMAIN.
 			[RT #4715]
 
 1415.	[func]		DS TTL now derived from NS ttl.  NXT TTL now derived
 			from SOA MINIMUM.
 
 1414.	[func]		Support for KSK flag.
 
 1413.	[func]		Explicitly request the (re-)generation of DS records
 			from keysets (dnssec-signzone -g).
 
 1412.	[func]		You can now specify servers to be tried if a nameserver
 			has IPv6 address and you only support IPv4 or the
 			reverse. See dual-stack-servers.
 
 1411.	[bug]		empty nodes should stop wildcard matches. [RT #4802]
 
 1410.	[func]		Handle records that live in the parent zone, e.g. DS.
 
 1409.	[bug]		DS should have attribute DNS_RDATATYPEATTR_DNSSEC.
 
 1408.	[bug]		"make distclean" was not complete. [RT #4700]
 
 1407.	[bug]		lfsr incorrectly implements the shift register.
 			[RT #4617]
 
 1406.	[bug]		dispatch initializes one of the LFSR's with a incorrect
 			polynomial.  [RT #4617]
 
 1405.	[func]		Use arc4random() if available.
 
 1404.	[bug]		libbind: ns_name_ntol() could overwrite a zero length
 			buffer.
 
 1403.	[func]		dnssec-signzone, dnssec-keygen, dnssec-makekeyset
 			dnssec-signkey now report their version in the
 			usage message.
 
 1402.	[cleanup]	A6 has been moved to experimental and is no longer
 			fully supported.
 
 1401.	[bug]		adb wasn't clearing state when the timer expired.
 
 1400.	[bug]		Block the addition of wildcard NS records by IXFR
 			or UPDATE. [RT #3502]
 
 1399.	[bug]		Use serial number arithmetic when testing SIG
 			timestamps. [RT #4268]
 
 1398.	[doc]		ARM: notify-also should have been also-notify.
 			[RT #4345]
 
 1397.	[maint]		J.ROOT-SERVERS.NET is now 192.58.128.30.
 
 1396.	[func]		dnssec-signzone: adjust the default signing time by
 			1 hour to allow for clock skew.
 
 1395.	[port]		OpenSSL 0.9.7 defines CRYPTO_LOCK_ENGINE but doesn't
 			have a working implementation.  [RT #4079]
 
 1394.	[func]		It is now possible to check if a particular element is
 			in a acl.  Remove duplicate entries from the localnets
 			acl.
 
 1393.	[port]		Bind to individual IPv6 interfaces if IPV6_IPV6ONLY
 			is not available in the kernel to prevent accidently
 			listening on IPv4 interfaces.
 
 1392.	[bug]		named-checkzone: update usage.
 
 1391.	[func]		Add support for IPv6 scoped addresses in named.
 
 1390.	[func]		host now supports ixfr.
 
 1389.	[bug]		named could fail to rotate long log files.  [RT #3666]
 
 1388.	[port]		irix: check for sys/sysctl.h and NET_RT_IFLIST before
 			defining HAVE_IFLIST_SYSCTL. [RT #3770]
 
 1387.	[bug]		named could crash due to an access to invalid memory
 			space (which caused an assertion failure) in
 			incremental cleaning.  [RT #3588]
 
 1386.	[bug]		named-checkzone -z stopped on errors in a zone.
 			[RT #3653]
 
 1385.	[bug]		Setting serial-query-rate to 10 would trigger a
 			REQUIRE failure.
 
 1384.	[bug]		host was incompatible with BIND 8 in its exit code and
 			in the output with the -l option.  [RT #3536]
 
 1383.	[func]		Track the serial number in a IXFR response and log if
 			a mismatch occurs.  This is a more specific error than
 			"not exact". [RT #3445]
 
 1382.	[bug]		make install failed with --enable-libbind. [RT #3656]
 
 1381.	[bug]		named failed to correctly process answers that
 			contained DNAME records where the resulting CNAME
 			resulted in a negative answer.
 
 1380.	[func]		'rndc recursing' dump recursing queries to
 			'recursing-file = "named.recursing";'.
 
 1379.	[func]		'rndc status' now reports tcp and recursion quota
 			states.
 
 1378.	[func]		Improved positive feedback for 'rndc {reload|refresh}.
 
 1377.	[func]		dns_zone_load{new}() now reports if the zone was
 			loaded, queued for loading to up to date.
 
 1376.	[func]		New function dns_zone_logc() to log to specified
 			category.
 
 1375.	[func]		'rndc dumpdb' now dumps the adb cache along with the
 			data cache.
 
 1374.	[func]		dns_adb_dump() now logs the lame zones associated
 			with each server.
 
 1373.	[bug]		Recovery from expired glue failed under certain
 			circumstances.
 
 1372.	[bug]		named crashes with an assertion failure on exit when
 			sharing the same port for listening and querying, and
 			changing listening addresses several times. [RT #3509]
 
 1371.	[bug]		notify-source-v6, transfer-source-v6 and
 			query-source-v6 with explicit addresses and using the
 			same ports as named was listening on could interfere
 			with named's ability to answer queries sent to those
 			addresses.
 
 1370.	[bug]		dig '+[no]recurse' was incorrectly documented.
 
 1369.	[bug]		Adding an NS record as the lexicographically last
 			record in a secure zone didn't work.
 
 1368.	[func]		remove support for bitstring labels.
 
 1367.	[func]		Use response times to select forwarders.
 
 1366.	[contrib]	queryperf usage was incomplete.  Add '-h' for help.
 
 1365.	[func]		"localhost" and "localnets" acls now include IPv6
 			addresses / prefixes.
 
 1364.	[func]		Log file name when unable to open memory statistics
 			and dump database files. [RT #3437]
 
 1363.	[func]		Listen-on-v6 now supports specific addresses.
 
 1362.	[bug]		remove IFF_RUNNING test when scanning interfaces.
 
 1361.	[func]		log the reason for rejecting a server when resolving
 			queries.
 
 1360.	[bug]		--enable-libbind would fail when not built in the
 			source tree for certain OS's.
 
 1359.	[security]	Support patches OpenSSL libraries.
 			http://www.cert.org/advisories/CA-2002-23.html
 
 1358.	[bug]		It was possible to trigger a INSIST when debugging
 			large dynamic updates. [RT #3390]
 
 1357.	[bug]		nsupdate was extremely wasteful of memory.
 
 1356.	[tuning]	Reduce the number of events / quantum for zone tasks.
 
 1355.	[bug]		Fix DNSSEC wildcard proof for CNAME/DNAME.
 
 1354.	[doc]		lwres man pages had illegal nroff.
 
 1353.	[contrib]	sdb/ldap to version 0.9.
 
 1352.	[bug]		dig, host, nslookup when falling back to TCP use the
 			current search entry (if any). [RT #3374]
 
 1351.	[bug]		lwres_getipnodebyname() returned the wrong name
 			when given a IPv4 literal, af=AF_INET6 and AI_MAPPED
 			was set.
 
 1350.	[bug]		dns_name_fromtext() failed to handle too many labels
 			gracefully.
 
 1349.	[security]	Minimum OpenSSL version now 0.9.6e (was 0.9.5a).
 			http://www.cert.org/advisories/CA-2002-23.html
 
 1348.	[port]		win32: Rewrote code to use I/O Completion Ports
 			in socket.c and eliminating a host of socket
 			errors. Performance is enhanced.
 
 1347.	[placeholder]
 
 1346.	[placeholder]
 
 1345.	[port]		Use a explicit -Wformat with gcc.  Not all versions
 			include it in -Wall.
 
 1344.	[func]		Log if the serial number on the master has gone
 			backwards.
 			If you have multiple machines specified in the masters
 			clause you may want to set 'multi-master yes;' to
 			suppress this warning.
 
 1343.	[func]		Log successful notifies received (info).  Adjust log
 			level for failed notifies to notice.
 
 1342.	[func]		Log remote address with TCP dispatch failures.
 
 1341.	[func]		Allow a rate limiter to be stalled.
 
 1340.	[bug]		Delay and spread out the startup refresh load.
 
 1339.	[func]		dig, host and nslookup now use IP6.ARPA for nibble
 			lookups.  Bit string lookups are no longer attempted.
 
 1338.	[placeholder]
 
 1337.	[placeholder]
 
 1336.	[func]		Nibble lookups under IP6.ARPA are now supported by
 			dns_byaddr_create().  dns_byaddr_createptrname() is
 			deprecated, use dns_byaddr_createptrname2() instead.
 
 1335.	[bug]		When performing a nonexistence proof, the validator
 			should discard parent NXTs from higher in the DNS.
 
 1334.	[bug]		When signing/verifying rdatasets, duplicate rdatas
 			need to be suppressed.
 
 1333.	[contrib]	queryperf now reports a summary of returned
 			rcodes (-c), rcodes are printed in mnemonic form (-v).
 
 1332.	[func]		Report the current serial with periodic commits when
 			rolling forward the journal.
 
 1331.	[func]		Generate DNSSEC wildcard proofs.
 
 1330.	[bug]		When processing events (non-threaded) only allow
 			the task one chance to use to use its quantum.
 
 1329.	[func]		named-checkzone will now check if nameservers that
 			appear to be IP addresses.  Available modes "fail",
 			"warn" (default) and "ignore" the results of the
 			check.
 
 1328.	[bug]		The validator could incorrectly verify an invalid
 			negative proof.
 
 1327.	[bug]		The validator would incorrectly mark data as insecure
 			when seeing a bogus signature before a correct
 			signature.
 
 1326.	[bug]		DNAME/CNAME signatures were not being cached when
 			validation was not being performed. [RT #3284]
 
 1325.	[bug]		If the tcpquota was exhausted it was possible to
 			to trigger a INSIST() failure.
 
 1324.	[port]		darwin: ifconfig.sh now supports darwin.
 
 1323.	[port]		linux: Slackware 4.0 needs <asm/unistd.h>. [RT #3205]
 
 1322.	[bug]		dnssec-signzone usage message was misleading.
 
 1321.	[bug]		If the last RRset in a zone is glue, dnssec-signzone
 			would incorrectly duplicate its output and sign it.
 
 1320.	[doc]		query-source-v6 was missing from options section.
 			[RT #3218]
 
 1319.	[func]		libbind: log attempts to exploit #1318.
 
 1318.	[bug]		libbind: Remote buffer overrun.
 
 1317.	[port]		libbind: TrueUNIX 5.1 does not like __align as a
 			element name.
 
 1316.	[bug]		libbind: gethostans() could get out of sync parsing
 			the response if there was a very long CNAME chain.
 
 1315.	[bug]		Options should apply to the internal _bind view.
 
 1314.	[port]		Handle ECONNRESET from sendmsg() [unix].
 
 1313.	[func]		Query log now says if the query was signed (S) or
 			if EDNS was used (E).
 
 1312.	[func]		Log TSIG key used w/ outgoing zone transfers.
 
 1311.	[bug]		lwres_getrrsetbyname leaked memory.  [RT #3159]
 
 1310.	[bug]		'rndc stop' failed to cause zones to be flushed
 			sometimes. [RT #3157]
 
 1309.	[func]		Log that a zone transfer was covered by a TSIG.
 
 1308.	[func]		DS (delegation signer) support.
 
 1307.	[bug]		nsupdate: allow white space base64 key data.
 
 1306.	[bug]		Badly encoded LOC record when the size, horizontal
 			precision or vertical precision was 0.1m.
 
 1305.	[bug]		Document that internal zones are included in the
 			rndc status results.
 
 1304.	[func]		New function: dns_zone_name().
 
 1303.	[func]		Option 'flush-zones-on-shutdown <boolean>;'.
 
 1302.	[func]		Extended rndc dumpdb to support dumping of zones and
 			view selection: 'dumpdb [-all|-zones|-cache] [view]'.
 
 1301.	[func]		New category 'update-security'.
 
 1300.	[port]		Compaq Trucluster support.
 
 1299.	[bug]		Set AI_ADDRCONFIG when looking up addresses
 			via getaddrinfo() (affects dig, host, nslookup, rndc
 			and nsupdate).
 
 1298.	[bug]		The CINCLUDES macro in lib/dns/sec/dst/Makefile
 			could be left with a trailing "\" after configure
 			has been run.
 
 1297.	[port]		linux: make handling EINVAL from socket() no longer
 			conditional on #ifdef LINUX.
 
 1296.	[bug]		isc_log_closefilelogs() needed to lock the log
 			context.
 
 1295.	[bug]		isc_log_setdebuglevel() needed to lock the log
 			context.
 
 1294.	[func]		libbind: no longer attempts bit string labels for
 			IPv6 reverse resolution.  Try IP6.ARPA then IP6.INT
 			for nibble style resolution.
 
 1293.	[func]		Entropy can now be retrieved from EGDs. [RT #2438]
 
 1292.	[func]		Enable IPv6 support when using ioctl style interface
 			scanning and OS supports SIOCGLIFADDR using struct
 			if_laddrreq.
 
 1291.	[func]		Enable IPv6 support when using sysctl style interface
 			scanning.
 
 1290.	[func]		"dig axfr" now reports the number of messages
 			as well as the number of records.
 
 1289.	[port]		See if -ldl is required for OpenSSL? [RT #2672]
 
 1288.	[bug]		Adjusted REQUIRE's in lib/dns/name.c to better
 			reflect written requirements.
 
 1287.	[bug]		REQUIRE that DNS_DBADD_MERGE only be set when adding
 			a rdataset to a zone db in the rbtdb implementation of
 			addrdataset.
 
 1286.	[bug]		dns_name_downcase() enforce requirement that
 			target != NULL or name->buffer != NULL.
 
 1285.	[func]		lwres: probe the system to see what address families
 			are currently in use.
 
 1284.	[bug]		The RTT estimate on unused servers was not aged.
 			[RT #2569]
 
 1283.	[func]		Use "dataready" accept filter if available.
 
 1282.	[port]		libbind: hpux 11.11 interface scanning.
 
 1281.	[func]		Log zone when unable to get private keys to update
 			zone.  Log zone when NXT records are missing from
 			secure zone.
 
 1280.	[bug]		libbind: escape '(' and ')' when converting to
 			presentation form.
 
 1279.	[port]		Darwin uses (unsigned long) for size_t. [RT #2590]
 
 1278.	[func]		dig: now supports +[no]cl +[no]ttlid.
 
 1277.	[func]		You can now create your own customized printing
 			styles: dns_master_stylecreate() and
 			dns_master_styledestroy().
 
 1276.	[bug]		libbind: const pointer conflicts in res_debug.c.
 
 1275.	[port]		libbind: hpux: treat all hpux systems as BIG_ENDIAN.
 
 1274.	[bug]		Memory leak in lwres_gnbarequest_parse().
 
 1273.	[port]		libbind: solaris: 64 bit binary compatibility.
 
 1272.	[contrib]	Berkeley DB 4.0 sdb implementation from
 			Nuno Miguel Rodrigues <nmr@co.sapo.pt>.
 
 1271.	[bug]		"recursion available: {denied,approved}" was too
 			confusing.
 
 1270.	[bug]		Check that system inet_pton() and inet_ntop() support
 			AF_INET6.
 
 1269.	[port]		Openserver: ifconfig.sh support.
 
 1268.	[port]		Openserver: the value FD_SETSIZE depends on whether
 			<sys/param.h> is included or not.  Be consistent.
 
 1267.	[func]		isc_file_openunique() now creates file using mode
 			0666 rather than 0600.
 
 1266.	[bug]		ISC_LINK_INIT, ISC_LINK_UNLINK, ISC_LIST_DEQUEUE,
 			__ISC_LINK_UNLINKUNSAFE and __ISC_LIST_DEQUEUEUNSAFE
 			are not C++ compatible, use *_TYPE versions instead.
 
 1265.	[bug]		libbind: LINK_INIT and UNLINK were not compatible with
 			C++, use LINK_INIT_TYPE and UNLINK_TYPE instead.
 
 1264.	[placeholder]
 
 1263.	[bug]		Reference after free error if dns_dispatchmgr_create()
 			failed.
 
 1262.	[bug]		ns_server_destroy() failed to set *serverp to NULL.
 
 1261.	[func]		libbind: ns_sign2() and ns_sign_tcp() now provide
 			support for compressed TSIG owner names.
 
 1260.	[func]		libbind: res_update can now update IPv6 servers,
 			new function res_findzonecut2().
 
 1259.	[bug]		libbind: get_salen() IPv6 support was broken for OSs
 			w/o sa_len.
 
 1258.	[bug]		libbind: res_nametotype() and res_nametoclass() were
 			broken.
 
 1257.	[bug]		Failure to write pid-file should not be fatal on
 			reload. [RT #2861]
 
 1256.	[contrib]	'queryperf' now has EDNS (-e) + DNSSEC DO (-D) support.
 
 1255.	[bug]		When verifying that an NXT proves nonexistence, check
 			the rcode of the message and only do the matching NXT
 			check.  That is, for NXDOMAIN responses, check that
 			the name is in the range between the NXT owner and
 			next name, and for NOERROR NODATA responses, check
 			that the type is not present in the NXT bitmap.
 
 1254.	[func]		preferred-glue option from BIND 8.3.
 
 1253.	[bug]		The dnssec system test failed to remove the correct
 			files.
 
 1252.	[bug]		Dig, host and nslookup were not checking the address
 			the answer was coming from against the address it was
 			sent to. [RT #2692]
 
 1251.	[port]		win32: a make file contained absolute version specific
 			references.
 
 1250.	[func]		Nsupdate will report the address the update was
 			sent to.
 
 1249.	[bug]		Missing masters clause was not handled gracefully.
 			[RT #2703]
 
 1248.	[bug]		DESTDIR was not being propagated between makes.
 
 1247.	[bug]		Don't reset the interface index for link/site local
 			addresses. [RT #2576]
 
 1246.	[func]		New functions isc_sockaddr_issitelocal(),
 			isc_sockaddr_islinklocal(), isc_netaddr_issitelocal()
 			and isc_netaddr_islinklocal().
 
 1245.	[bug]		Treat ENOBUFS, ENOMEM and ENFILE as soft errors for
 			accept().
 
 1244.	[bug]		Receiving a TCP message from a blackhole address would
 			prevent further messages being received over that
 			interface.
 
 1243.	[bug]		It was possible to trigger a REQUIRE() in
 			dns_message_findtype(). [RT #2659]
 
 1242.	[bug]		named-checkzone failed if a journal existed. [RT #2657]
 
 1241.	[bug]		Drop received UDP messages with a zero source port
 			as these are invariably forged. [RT #2621]
 
 1240.	[bug]		It was possible to leak zone references by
 			specifying an incorrect zone to rndc.
 
 1239.	[bug]		Under certain circumstances named could continue to
 			use a name after it had been freed triggering
 			INSIST() failures.  [RT #2614]
 
 1238.	[bug]		It is possible to lockup the server when shutting down
 			if notifies were being processed. [RT #2591]
 
 1237.	[bug]		nslookup: "set q=type" failed.
 
 1236.	[bug]		dns_rdata{class,type}_fromtext() didn't handle non
 			NULL terminated text regions. [RT #2588]
 
 1235.	[func]		Report 'out of memory' errors from openssl.
 
 1234.	[bug]		contrib/sdb: 'zonetodb' failed to call
 			dns_result_register().  DNS_R_SEENINCLUDE should not
 			be fatal.
 
 1233.	[bug]		The flags field of a KEY record can be expressed in
 			hex as well as decimal.
 
 1232.	[bug]		unix/errno2result() didn't handle EADDRNOTAVAIL.
 
 1231.	[port]		HPUX 11.11 recvmsg() can return spurious EADDRNOTAVAIL.
 
 1230.	[bug]		isccc_cc_isreply() and isccc_cc_isack() were broken.
 
 1229.	[bug]		named would crash if it received a TSIG signed
 			query as part of an AXFR response. [RT #2570]
 
 1228.	[bug]		'make install' did not depend on 'make all'. [RT #2559]
 
 1227.	[bug]		dns_lex_getmastertoken() now returns ISC_R_BADNUMBER
 			if a number was expected and some other token was
 			found. [RT #2532]
 
 1226.	[func]		Use EDNS for zone refresh queries. [RT #2551]
 
 1225.	[func]		dns_message_setopt() no longer requires that
 			dns_message_renderbegin() to have been called.
 
 1224.	[bug]		'rrset-order' and 'sortlist' should be additive
 			not exclusive.
 
 1223.	[func]		'rrset-order' partially works 'cyclic' and 'random'
 			are supported.
 
 1222.	[bug]		Specifying 'port *' did not always result in a system
 			selected (non-reserved) port being used. [RT #2537]
 
 1221.	[bug]		Zone types 'master', 'slave' and 'stub' were not being
 			compared case insensitively. [RT #2542]
 
 1220.	[func]		Support for APL rdata type.
 
 1219.	[func]		Named now reports the TSIG extended error code when
 			signature verification fails. [RT #1651]
 
 1218.	[bug]		Named incorrectly returned SERVFAIL rather than
 			NOTAUTH when there was a TSIG BADTIME error. [RT #2519]
 
 1217.	[func]		Report locations of previous key definition when a
 			duplicate is detected.
 
 1216.	[bug]		Multiple server clauses for the same server were not
 			reported.  [RT #2514]
 
 1215.	[port]		solaris: add support to ifconfig.sh for x86 2.5.1
 
 1214.	[bug]		Win32: isc_file_renameunique() could leave zero length
 			files behind.
 
 1213.	[func]		Report view associated with client if it is not a
 			standard view (_default or _bind).
 
 1212.	[port]		libbind: 64k answer buffers were causing stack space
 			to be exceeded for certain OS.  Use heap space instead.
 
 1211.	[bug]		dns_name_fromtext() incorrectly handled certain
 			valid octal bitlabels. [RT #2483]
 
 1210.	[bug]		libbind: getnameinfo() failed to lookup IPv4 mapped /
 			compatible addresses. [RT #2461]
 
 1209.	[bug]		Dig, host, nslookup were not checking the message ids
 			on the responses. [RT #2454]
 
 1208.	[bug]		dns_master_load*() failed to log a error message if
-			an error was detected when parsing the ownername of
+			an error was detected when parsing the owner name of
 			a record.  [RT #2448]
 
 1207.	[bug]		libbind: getaddrinfo() could call freeaddrinfo() with
 			an invalid pointer.
 
 1206.	[bug]		SERVFAIL and NOTIMP responses to an EDNS query should
 			trigger a non-EDNS retry.
 
 1205.	[bug]		OPT, TSIG and TKEY cannot be used to set the "class"
 			of the message. [RT #2449]
 
 1204.	[bug]		libbind: res_nupdate() failed to update the name
 			server addresses before sending the update.
 
 1203.	[func]		Report locations of previous acl and zone definitions
 			when a duplicate is detected.
 
 1202.	[func]		New functions: cfg_obj_line() and cfg_obj_file().
 
 1201.	[bug]		Require that if 'callbacks' is passed to
 			dns_rdata_fromtext(), callbacks->error and
 			callbacks->warn are initialized.
 
 1200.	[bug]		Log 'errno' that we are unable to convert to
 			isc_result_t. [RT #2404]
 
 1199.	[doc]		ARM reference to RFC 2157 should have been RFC 1918.
 			[RT #2436]
 
 1198.	[bug]		OPT printing style was not consistent with the way the
 			header fields are printed.  The DO bit was not reported
 			if set.  Report if any of the MBZ bits are set.
 
 1197.	[bug]		Attempts to define the same acl multiple times were not
 			detected.
 
 1196.	[contrib]	update mdnkit to 2.2.3.
 
 1195.	[bug]		Attempts to redefine builtin acls should be caught.
 			[RT #2403]
 
 1194.	[bug]		Not all duplicate zone definitions were being detected
 			at the named.conf checking stage. [RT #2431]
 
 1193.	[bug]		dig +besteffort parsing didn't handle packet
 			truncation.  dns_message_parse() has new flag
 			DNS_MESSAGE_IGNORETRUNCATION.
 
 1192.	[bug]		The seconds fields in LOC records were restricted
 			to three decimal places.  More decimal places should
 			be allowed but warned about.
 
 1191.	[bug]		A dynamic update removing the last non-apex name in
 			a secure zone would fail. [RT #2399]
 
 1190.	[func]		Add the "rndc freeze" and "rndc unfreeze" commands.
 			[RT #2394]
 
 1189.	[bug]		On some systems, malloc(0) returns NULL, which
 			could cause the caller to report an out of memory
 			error. [RT #2398]
 
 1188.	[bug]		Dynamic updates of a signed zone would fail if
 			some of the zone private keys were unavailable.
 
 1187.	[bug]		named was incorrectly returning DNSSEC records
 			in negative responses when the DO bit was not set.
 
 1186.	[bug]		isc_hex_tobuffer(,,length = 0) failed to unget the
 			EOL token when reading to end of line.
 
 1185.	[bug]		libbind: don't assume statp->_u._ext.ext is valid
 			unless RES_INIT is set when calling res_*init().
 
 1184.	[bug]		libbind: call res_ndestroy() if RES_INIT is set
 			when res_*init() is called.
 
 1183.	[bug]		Handle ENOSR error when writing to the internal
 			control pipe. [RT #2395]
 
 1182.	[bug]		The server could throw an assertion failure when
 			constructing a negative response packet.
 
 1181.	[func]		Add the "key-directory" configuration statement,
 			which allows the server to look for online signing
 			keys in alternate directories.
 
 1180.	[func]		dnssec-keygen should always generate keys with
 			protocol 3 (DNSSEC), since it's less confusing
 			that way.
 
 1179.	[func]		Add SIG(0) support to nsupdate.
 
 1178.	[bug]		Follow and cache (if appropriate) A6 and other
 			data chains to completion in the additional section.
 
 1177.	[func]		Report view when loading zones if it is not a
 			standard view (_default or _bind). [RT #2270]
 
 1176.	[doc]		Document that allow-v6-synthesis is only performed
 			for clients that are supplied recursive service.
 			[RT #2260]
 
 1175.	[bug]		named-checkzone and named-checkconf failed to call
 			dns_result_register() at startup which could
 			result in runtime exceptions when printing
 			"out of memory" errors. [RT #2335]
 
 1174.	[bug]		Win32: add WSAECONNRESET to the expected errors
 			from connect(). [RT #2308]
 
 1173.	[bug]		Potential memory leaks in isc_log_create() and
 			isc_log_settag(). [RT #2336]
 
 1172.	[doc]		Add CERT, GPOS, KX, NAPTR, NSAP, PX and TXT to
 			table of RR types in ARM.
 
 1171.	[func]		Added function isc_region_compare(), updated files in
 			lib/dns to use this function instead of local one.
 
 1170.	[bug]		Don't attempt to print the token when a I/O error
 			occurs when parsing named.conf. [RT #2275]
 
 1169.	[func]		Identify recursive queries in the query log.
 
 1168.	[bug]		Empty also-notify clauses were not handled. [RT #2309]
 
 1167.	[contrib]	nslint-2.1a3 (from author).
 
 1166.	[bug]		"Not Implemented" should be reported as NOTIMP,
 			not NOTIMPL. [RT #2281]
 
 1165.	[bug]		We were rejecting notify-source{-v6} in zone clauses.
 
 1164.	[bug]		Empty masters clauses in slave / stub zones were not
 			handled gracefully. [RT #2262]
 
 1163.	[func]		isc_time_formattimestamp() now includes the year.
 
 1162.	[bug]		The allow-notify option was not accepted in slave
 			zone statements.
 
 1161.	[bug]		named-checkzone looped on unbalanced brackets.
 			[RT #2248]
 
 1160.	[bug]		Generating Diffie-Hellman keys longer than 1024
 			bits could fail. [RT #2241]
 
 1159.	[bug]		MD and MF are not permitted to be loaded by RFC1123.
 
 1158.	[func]		Report the client's address when logging notify
 			messages.
 
 1157.	[func]		match-clients and match-destinations now accept
 			keys. [RT #2045]
 
 1156.	[port]		The configure test for strsep() incorrectly
 			succeeded on certain patched versions of
 			AIX 4.3.3. [RT #2190]
 
 1155.	[func]		Recover from master files being removed from under
 			us.
 
 1154.	[bug]		Don't attempt to obtain the netmask of a interface
 			if there is no address configured. [RT #2176]
 
 1153.	[func]		'rndc {stop|halt} -p' now reports the process id
 			of the instance of named being shutdown.
 
 1152.	[bug]		libbind: read buffer overflows.
 
 1151.	[bug]		nslookup failed to check that the arguments to
 			the port, timeout, and retry options were
 			valid integers and in range. [RT #2099]
 
 1150.	[bug]		named incorrectly accepted TTL values
 			containing plus or minus signs, such as
 			1d+1h-1s.
 
 1149.	[func]		New function isc_parse_uint32().
 
 1148.	[func]		'rndc-confgen -a' now provides positive feedback.
 
 1147.	[func]		Set IPV6_V6ONLY on IPv6 sockets if supported by
 			the OS.  listen-on-v6 { any; }; should no longer
 			result in IPv4 queries be accepted.  Similarly
 			control { inet :: ... }; should no longer result
 			in IPv4 connections being accepted.  This can be
 			overridden at compile time by defining
 			ISC_ALLOW_MAPPED=1.
 
 1146.	[func]		Allow IPV6_IPV6ONLY to be set/cleared on a socket if
 			supported by the OS by a new function
 			isc_socket_ipv6only().
 
 1145.	[func]		"host" no longer reports a NOERROR/NODATA response
 			by printing nothing. [RT #2065]
 
 1144.	[bug]		rndc-confgen would crash if both the -a and -t
 			options were specified. [RT #2159]
 
 1143.	[bug]		When a trusted-keys statement was present and named
 			was built without crypto support, it would leak memory.
 
 1142.	[bug]		dnssec-signzone would fail to delete temporary files
 			in some failure cases. [RT #2144]
 
 1141.	[bug]		When named rejected a control message, it would
 			leak a file descriptor and memory.  It would also
 			fail to respond, causing rndc to hang.
 			[RT #2139, #2164]
 
 1140.	[bug]		rndc-confgen did not accept IPv6 addresses as arguments
 			to the -s option. [RT #2138]
 
 1139.	[func]		It is now possible to flush a given name from the
 			cache(s) via 'rndc flushname name [view]'. [RT #2051]
 
 1138.	[func]		It is now possible to flush a given name from the
 			cache by calling the new function
 			dns_cache_flushname().
 
 1137.	[func]		It is now possible to flush a given name from the
 			ADB by calling the new function dns_adb_flushname().
 
 1136.	[bug]		CNAME records synthesized from DNAMEs did not
 			have a TTL of zero as required by RFC2672.
 			[RT #2129]
 
 1135.	[func]		You can now override the default syslog() facility for
 			named/lwresd at compile time. [RT #1982]
 
 1134.	[bug]		Multi-threaded servers could deadlock in ferror()
 			when reloading zone files. [RT #1951, #1998]
 
 1133.	[bug]		IN6_IS_ADDR_LOOPBACK was not portably defined on
 			platforms without IN6_IS_ADDR_LOOPBACK. [RT #2106]
 
 1132.	[func]		Improve UPDATE prerequisite failure diagnostic messages.
 
 1131.	[bug]		The match-destinations view option did not work with
 			IPv6 destinations. [RT #2073, #2074]
 
 1130.	[bug]		Log messages reporting an out-of-range serial number
 			did not include the out-of-range number but the
 			following token. [RT #2076]
 
 1129.	[bug]		Multi-threaded servers could crash under heavy
 			resolution load due to a race condition. [RT #2018]
 
 1128.	[func]		sdb drivers can now provide RR data in either text
 			or wire format, the latter using the new functions
 			dns_sdb_putrdata() and dns_sdb_putnamedrdata().
 
 1127.	[func]		rndc: If the server to contact has multiple addresses,
 			try all of them.
 
 1126.	[bug]		The server could access a freed event if shut
 			down while a client start event was pending
 			delivery. [RT #2061]
 
 1125.	[bug]		rndc: -k option was missing from usage message.
 			[RT #2057]
 
 1124.	[doc]		dig: +[no]dnssec, +[no]besteffort and +[no]fail
 			are now documented. [RT #2052]
 
 1123.	[bug]		dig +[no]fail did not match description. [RT #2052]
 
 1122.	[tuning]	Resolution timeout reduced from 90 to 30 seconds.
 			[RT #2046]
 
 1121.	[bug]		The server could attempt to access a NULL zone
 			table if shut down while resolving.
 			[RT #1587, #2054]
 
 1120.	[bug]		Errors in options were not fatal. [RT #2002]
 
 1119.	[func]		Added support in Win32 for NTFS file/directory ACL's
 			for access control.
 
 1118.	[bug]		On multi-threaded servers, a race condition
 			could cause an assertion failure in resolver.c
 			during resolver shutdown. [RT #2029]
 
 1117.	[port]		The configure check for in6addr_loopback incorrectly
 			succeeded on AIX 4.3 when compiling with -O2
 			because the test code was optimized away.
 			[RT #2016]
 
 1116.	[bug]		Setting transfers in a server clause, transfers-in,
 			or transfers-per-ns to a value greater than
 			2147483647 disabled transfers. [RT #2002]
 
 1115.	[func]		Set maximum values for cleaning-interval,
 			heartbeat-interval, interface-interval,
 			max-transfer-idle-in, max-transfer-idle-out,
 			max-transfer-time-in, max-transfer-time-out,
 			statistics-interval of 28 days and
 			sig-validity-interval of 3660 days. [RT #2002]
 
 1114.	[port]		Ignore more accept() errors. [RT #2021]
 
 1113.	[bug]		The allow-update-forwarding option was ignored
 			when specified in a view. [RT #2014]
 
 1112.	[placeholder]
 
 1111.	[bug]		Multi-threaded servers could deadlock processing
 			recursive queries due to a locking hierarchy
 			violation in adb.c. [RT #2017]
 
 1110.	[bug]		dig should only accept valid abbreviations of +options.
 			[RT #2003]
 
 1109.	[bug]		nsupdate accepted illegal ttl values.
 
 1108.	[bug]		On Win32, rndc was hanging when named was not running
 			due to failure to select for exceptional conditions
 			in select(). [RT #1870]
 
 1107.	[bug]		nsupdate could catch an assertion failure if an
 			invalid domain name was given as the argument to
 			the "zone" command.
 
 1106.	[bug]		After seeing an out of range TTL, nsupdate would
 			treat all TTLs as out of range. [RT #2001]
 
 1105.	[port]		OpenUNIX 8 enable threads by default. [RT #1970]
 
 1104.	[bug]		Invalid arguments to the transfer-format option
 			could cause an assertion failure. [RT #1995]
 
 1103.	[port]		OpenUNIX 8 support (ifconfig.sh). [RT #1970]
 
 1102.	[doc]		Note that query logging is enabled by directing the
 			queries category to a channel.
 
 1101.	[bug]		Array bounds read error in lwres_gai_strerror.
 
 1100.	[bug]		libbind: DNSSEC key ids were computed incorrectly.
 
 1099.	[cleanup]	libbind: defining REPORT_ERRORS in lib/bind/dst caused
 			compile time errors.
 
 1098.	[bug]		libbind: HMAC-MD5 key files are now mode 0600.
 
 1097.	[func]		libbind: RES_PRF_TRUNC for dig.
 
 1096.	[func]		libbind: "DNSSEC OK" (DO) support.
 
 1095.	[func]		libbind: resolver option: no-tld-query.  disables
 			trying unqualified as a tld.  no_tld_query is also
 			supported for FreeBSD compatibility.
 
 1094.	[func]		libbind: add support gcc's format string checking.
 
 1093.	[doc]		libbind: miscellaneous nroff fixes.
 
 1092.	[bug]		libbind: get*by*() failed to check if res_init() had
 			been called.
 
 1091.	[bug]		libbind: misplaced va_end().
 
 1090.	[bug]		libbind: dns_ho.c:add_hostent() was not returning
 			the amount of memory consumed resulting in garbage
 			address being returned.  Alignment calculations were
 			wasting space.  We weren't suppressing duplicate
 			addresses.
 
 1089.	[func]		libbind: inet_{cidr,net}_{pton,ntop}() now have IPv6
 			support.
 
 1088.	[port]		libbind: MPE/iX C.70 (incomplete)
 
 1087.	[bug]		libbind: struct __res_state too large on 64 bit arch.
 
 1086.	[port]		libbind: sunos: old sprintf.
 
 1085.	[port]		libbind: solaris: sys_nerr and sys_errlist do not
 			exist when compiling in 64 bit mode.
 
 1084.	[cleanup]	libbind: gai_strerror() rewritten.
 
 1083.	[bug]		The default control channel listened on the
 			wildcard address, not the loopback as documented.
 			[RT #1975]
 
 1082.	[bug]		The -g option to named incorrectly caused logging
 			to be sent to syslog in addition to stderr.
 			[RT #1974]
 
 1081.	[bug]		Multicast queries were incorrectly identified
 			based on the source address, not the destination
 			address.
 
 1080.	[bug]		BIND 8 compatibility: accept bare IP prefixes
 			as the second element of a two-element top level
 			sort list statement. [RT #1964]
 
 1079.	[bug]		BIND 8 compatibility: accept bare elements at top
 			level of sort list treating them as if they were
 			a single element list. [RT #1963]
 
 1078.	[bug]		We failed to correct bad tv_usec values in one case.
 			[RT #1966]
 
 1077.	[func]		Do not accept further recursive clients when
 			the total number of recursive lookups being
 			processed exceeds max-recursive-clients, even
 			if some of the lookups are internally generated.
 			[RT #1915, #1938]
 
 1076.	[bug]		A badly defined global key could trigger an assertion
 			on load/reload if views were used. [RT #1947]
 
 1075.	[bug]		Out-of-range network prefix lengths were not
 			reported. [RT #1954]
 
 1074.	[bug]		Running out of memory in dump_rdataset() could
 			cause an assertion failure. [RT #1946]
 
 1073.	[bug]		The ADB cache cleaning should also be space driven.
 			[RT #1915, #1938]
 
 1072.	[bug]		The TCP client quota could be exceeded when
 			recursion occurred. [RT #1937]
 
 1071.	[bug]		Sockets listening for TCP DNS connections
 			specified an excessive listen backlog. [RT #1937]
 
 1070.	[bug]		Copy DNSSEC OK (DO) to response as specified by
 			draft-ietf-dnsext-dnssec-okbit-03.txt.
 
 1069.	[placeholder]
 
 1068.	[bug]		errno could be overwritten by catgets(). [RT #1921]
 
 1067.	[func]		Allow quotas to be soft, isc_quota_soft().
 
 1066.	[bug]		Provide a thread safe wrapper for strerror().
 			[RT #1689]
 
 1065.	[func]		Runtime support to select new / old style interface
 			scanning using ioctls.
 
 1064.	[bug]		Do not shut down active network interfaces if we
 			are unable to scan the interface list. [RT #1921]
 
 1063.	[bug]		libbind: "make install" was failing on IRIX.
 			[RT #1919]
 
 1062.	[bug]		If the control channel listener socket was shut
 			down before server exit, the listener object could
 			be freed twice. [RT #1916]
 
 1061.	[bug]		If periodic cache cleaning happened to start
 			while cleaning due to reaching the configured
 			maximum cache size was in progress, the server
 			could catch an assertion failure. [RT #1912]
 
 1060.	[func]		Move refresh, stub and notify UDP retry processing
 			into dns_request.
 
 1059.	[func]		dns_request now support will now retry UDP queries,
 			dns_request_createvia2() and dns_request_createraw2().
 
 1058.	[func]		Limited lifetime ticker timers are now available,
 			isc_timertype_limited.
 
 1057.	[bug]		Reloading the server after adding a "file" clause
 			to a zone statement could cause the server to
 			crash due to a typo in change 1016.
 
 1056.	[bug]		Rndc could catch an assertion failure on SIGINT due
 			to an uninitialized variable. [RT #1908]
 
 1055.	[func]		Version and hostname queries can now be disabled
 			using "version none;" and "hostname none;",
 			respectively.
 
 1054.	[bug]		On Win32, cfg_categories and cfg_modules need to be
 			exported from the libisccfg DLL.
 
 1053.	[bug]		Dig did not increase its timeout when receiving
 			AXFRs unless the +time option was used. [RT #1904]
 
 1052.	[bug]		Journals were not being created in binary mode
 			resulting in "journal format not recognized" error
 			under Win32. [RT #1889]
 
 1051.	[bug]		Do not ignore a network interface completely just
 			because it has a noncontiguous netmask.  Instead,
 			omit it from the localnets ACL and issue a warning.
 			[RT #1891]
 
 1050.	[bug]		Log messages reporting malformed IP addresses in
 			address lists such as that of the forwarders option
 			failed to include the correct error code, file
 			name, and line number. [RT #1890]
 
 1049.	[func]		"pid-file none;" will disable writing a pid file.
 			[RT #1848]
 
 1048.	[bug]		Servers built with -DISC_MEM_USE_INTERNAL_MALLOC=1
 			didn't work.
 
 1047.	[bug]		named was incorrectly refusing all requests signed
 			with a TSIG key derived from an unsigned TKEY
 			negotiation with a NOERROR response. [RT #1886]
 
 1046.	[bug]		The help message for the --with-openssl configure
 			option was inaccurate. [RT #1880]
 
 1045.	[bug]		It was possible to skip saving glue for a nameserver
 			for a stub zone.
 
 1044.	[bug]		Specifying allow-transfer, notify-source, or
 			notify-source-v6 in a stub zone was not treated
 			as an error.
 
 1043.	[bug]		Specifying a transfer-source or transfer-source-v6
 			option in the zone statement for a master zone was
 			not treated as an error. [RT #1876]
 
 1042.	[bug]		The "config" logging category did not work properly.
 			[RT #1873]
 
 1041.	[bug]		Dig/host/nslookup could catch an assertion failure
 			on SIGINT due to an uninitialized variable. [RT #1867]
 
 1040.	[bug]		Multiple listen-on-v6 options with different ports
 			were not accepted. [RT #1875]
 
 1039.	[bug]		Negative responses with CNAMEs in the answer section
 			were cached incorrectly. [RT #1862]
 
 1038.	[bug]		In servers configured with a tkey-domain option,
 			TKEY queries with an owner name other than the root
 			could cause an assertion failure. [RT #1866, #1869]
 
 1037.	[bug]		Negative responses whose authority section contain
 			SOA or NS records whose owner names are not equal
 			equal to or parents of the query name should be
 			rejected. [RT #1862]
 
 1036.	[func]		Silently drop requests received via multicast as
 			long as there is no final multicast DNS standard.
 
 1035.	[bug]		If we respond to multicast queries (which we
 			currently do not), respond from a unicast address
 			as specified in RFC 1123. [RT #137]
 
 1034.	[bug]		Ignore the RD bit on multicast queries as specified
 			in RFC 1123. [RT #137]
 
 1033.	[bug]		Always respond to requests with an unsupported opcode
 			with NOTIMP, even if we don't have a matching view
 			or cannot determine the class.
 
 1032.	[func]		hostname.bind/txt/chaos now returns the name of
 			the machine hosting the nameserver.  This is useful
 			in diagnosing problems with anycast servers.
 
 1031.	[bug]		libbind.a: isc__gettimeofday() infinite recursion.
 			[RT #1858]
 
 1030.	[bug]		On systems with no resolv.conf file, nsupdate
 			exited with an error rather than defaulting
 			to using the loopback address. [RT #1836]
 
 1029.	[bug]		Some named.conf errors did not cause the loading
 			of the configuration file to return a failure
 			status even though they were logged. [RT #1847]
 
 1028.	[bug]		On Win32, dig/host/nslookup looked for resolv.conf
 			in the wrong directory. [RT #1833]
 
 1027.	[bug]		RRs having the reserved type 0 should be rejected.
 			[RT #1471]
 
 1026.	[placeholder]
 
 1025.	[bug]		Don't use multicast addresses to resolve iterative
 			queries. [RT #101]
 
 1024.	[port]		Compilation failed on HP-UX 11.11 due to
 			incompatible use of the SIOCGLIFCONF macro
 			name. [RT #1831]
 
 1023.	[func]		Accept hints without TTLs.
 
 1022.	[bug]		Don't report empty root hints as "extra data".
 			[RT #1802]
 
 1021.	[bug]		On Win32, log message timestamps were one month
 			later than they should have been, and the server
 			would exhibit unspecified behavior in December.
 
 1020.	[bug]		IXFR log messages did not distinguish between
 			true IXFRs, AXFR-style IXFRs, and mere version
 			polls. [RT #1811]
 
 1019.	[bug]		The value of the lame-ttl option was limited to 18000
 			seconds, not 1800 seconds as documented. [RT #1803]
 
 1018.	[bug]		The default log channel was not always initialized
 			correctly. [RT #1813]
 
 1017.	[bug]		When specifying TSIG keys to dig and nsupdate using
 			the -k option, they must be HMAC-MD5 keys. [RT #1810]
 
 1016.	[bug]		Slave zones with no backup file were re-transferred
 			on every server reload.
 
 1015.	[bug]		Log channels that had a "versions" option but no
 			"size" option failed to create numbered log
 			files. [RT #1783]
 
 1014.	[bug]		Some queries would cause statistics counters to
 			increment more than once or not at all. [RT #1321]
 
 1013.	[bug]		It was possible to cancel a query twice when marking
 			a server as bogus or by having a blackhole acl.
 			[RT #1776]
 
 1012.	[bug]		The -p option to named did not behave as documented.
 
 1011.	[cleanup]	Removed isc_dir_current().
 
 1010.	[bug]		The server could attempt to execute a command channel
 			command after initiating server shutdown, causing
 			an assertion failure. [RT #1766]
 
 1009.	[port]		OpenUNIX 8 support. [RT #1728]
 
 1008.	[port]		libtool.m4, ltmain.sh from libtool-1.4.2.
 
 1007.	[port]		config.guess, config.sub from autoconf-2.52.
 
 1006.	[bug]		If a KEY RR was found missing during DNSSEC validation,
 			an assertion failure could subsequently be triggered
 			in the resolver. [RT #1763]
 
 1005.	[bug]		Don't copy nonzero RCODEs from request to response.
 			[RT #1765]
 
 1004.	[port]		Deal with recvfrom() returning EHOSTDOWN. [RT #1770]
 
 1003.	[func]		Add the +retry option to dig.
 
 1002.	[bug]		When reporting an unknown class name in named.conf,
 			including the file name and line number. [RT #1759]
 
 1001.	[bug]		win32 socket code doio_recv was not catching a
 			WSACONNRESET error when a client was timing out
 			the request and closing its socket. [RT #1745]
 
 1000.	[bug]		BIND 8 compatibility: accept "HESIOD" as an alias
 			for class "HS". [RT #1759]
 
  999.	[func]		"rndc retransfer zone [class [view]]" added.
 			[RT #1752]
 
  998.	[func]		named-checkzone now has arguments to specify the
 			chroot directory (-t) and working directory (-w).
 			[RT #1755]
 
  997.	[func]		Add support for RSA-SHA1 keys (RFC3110).
 
  996.	[func]		Issue warning if the configuration filename contains
 			the chroot path.
 
  995.	[bug]		dig, host, nslookup: using a raw IPv6 address as a
 			target address should be fatal on a IPv4 only system.
 
  994.	[func]		Treat non-authoritative responses to queries for type
 			NS as referrals even if the NS records are in the
 			answer section, because BIND 8 servers incorrectly
 			send them that way.  This is necessary for DNSSEC
 			validation of the NS records of a secure zone to
 			succeed when the parent is a BIND 8 server. [RT #1706]
 
  993.	[func]		dig: -v now reports the version.
 
  992.	[doc]		dig: ~/.digrc is now documented.
 
  991.	[func]		Lower UDP refresh timeout messages to level
 			debug 1.
 
  990.	[bug]		The rndc-confgen man page was not installed.
 
  989.	[bug]		Report filename if $INCLUDE fails for file related
 			errors. [RT #1736]
 
  988.	[bug]		'additional-from-auth no;' did not work reliably
 			in the case of queries answered from the cache.
 			[RT #1436]
 
  987.	[bug]		"dig -help" didn't show "+[no]stats".
 
  986.	[bug]		"dig +noall" failed to clear stats and command
 			printing.
 
  985.	[func]		Consider network interfaces to be up iff they have
 			a nonzero IP address rather than based on the
 			IFF_UP flag. [RT #1160]
 
  984.	[bug]		Multi-threading should be enabled by default on
 			Solaris 2.7 and newer, but it wasn't.
 
  983.	[func]		The server now supports generating IXFR difference
 			sequences for non-dynamic zones by comparing zone
 			versions, when enabled using the new config
 			option "ixfr-from-differences". [RT #1727]
 
  982.	[func]		If "memstatistics-file" is set in options the memory
 			statistics will be written to it.
 
  981.	[func]		The dnssec tools can now take multiple '-r randomfile'
 			arguments.
 
  980.	[bug]		Incoming zone transfers restarting after an error
 			could trigger an assertion failure. [RT #1692]
 
  979.	[func]		Incremental master file dumping.  dns_master_dumpinc(),
 			dns_master_dumptostreaminc(), dns_dumpctx_attach(),
 			dns_dumpctx_detach(), dns_dumpctx_cancel(),
 			dns_dumpctx_db() and dns_dumpctx_version().
 
  978.	[bug]		dns_db_attachversion() had an invalid REQUIRE()
 			condition.
 
  977.	[bug]		Improve "not at top of zone" error message.
 
  976.	[func]		named-checkconf can now test load master zones
 			(named-checkconf -z). [RT #1468]
 
  975.	[bug]		"max-cache-size default;" as a view option
 			caused an assertion failure.
 
  974.	[bug]		"max-cache-size unlimited;" as a global option
 			was not accepted.
 
  973.	[bug]		Failed to log the question name when logging:
 			"bad zone transfer request: non-authoritative zone
 			(NOTAUTH)".
 
  972.	[bug]		The file modification time code in zone.c was using the
 			wrong epoch. [RT #1667]
 
  971.	[placeholder]
 
  970.	[func]		'max-journal-size' can now be used to set a target
 			size for a journal.
 
  969.	[func]		dig now supports the undocumented dig 8 feature
 			of allowing arbitrary labels, not just dotted
 			decimal quads, with the -x option.  This can be
 			used to conveniently look up RFC2317 names as in
 			"dig -x 10.0.0.0-127". [RT #827, #1576, #1598]
 
  968.	[bug]		On win32, the isc_time_now() function was unnecessarily
 			calling strtime(). [RT #1671]
 
  967.	[bug]		On win32, the link for bindevt was not including the
 			required resource file to enable the event viewer
 			to interpret the error messages in the event log,
 			[RT #1668]
 
  966.	[placeholder]
 
  965.	[bug]		Including data other than root server NS and A
 			records in the root hint file could cause a rbtdb
 			node reference leak. [RT #1581, #1618]
 
  964.	[func]		Warn if data other than root server NS and A records
 			are found in the root hint file. [RT #1581, #1618]
 
  963.	[bug]		Bad ISC_LANG_ENDDECLS. [RT #1645]
 
  962.	[bug]		libbind: bad "#undef", don't attempt to install
 			non-existent nlist.h. [RT #1640]
 
  961.	[bug]		Tried to use a IPV6 feature when ISC_PLATFORM_HAVEIPV6
 			was not defined. [RT #1482]
 
  960.	[port]		liblwres failed to build on systems with support for
 			getrrsetbyname() in the OS. [RT #1592]
 
  959.	[port]		On FreeBSD, determine the number of CPUs by calling
 			sysctlbyname(). [RT #1584]
 
  958.	[port]		ssize_t is not available on all platforms. [RT #1607]
 
  957.	[bug]		sys/select.h inclusion was broken on older platforms.
 			[RT #1607]
 
  956.	[bug]		ns_g_autorndcfile changed to ns_g_keyfile
 			in named/win32/os.c due to code changes in
 			change #953. win32 .make file for rndc-confgen
 			updated to add include path for os.h header.
 
 	--- 9.2.0rc1 released ---
 
  955.	[bug]		When using views, the zone's class was not being
 			inherited from the view's class. [RT #1583]
 
  954.	[bug]		When requesting AXFRs or IXFRs using dig, host, or
 			nslookup, the RD bit should not be set as zone
 			transfers are inherently non-recursive. [RT #1575]
 
  953.	[func]		The /var/run/named.key file from change #843
 			has been replaced by /etc/rndc.key.  Both
 			named and rndc will look for this file and use
 			it to configure a default control channel key
 			if not already configured using a different
 			method (rndc.conf / controls).  Unlike
 			named.key, rndc.key is not created automatically;
 			it must be created by manually running
 			"rndc-confgen -a".
 
  952.	[bug]		The server required manual intervention to serve the
 			affected zones if it died between creating a journal
 			and committing the first change to it.
 
  951.	[bug]		CFLAGS was not passed to the linker when
 			linking some of the test programs under
 			bin/tests. [RT #1555].
 
  950.	[bug]		Explicit TTLs did not properly override $TTL
 			due to a bug in change 834. [RT #1558]
 
  949.	[bug]		host was unable to print records larger than 512
 			bytes. [RT #1557]
 
 	--- 9.2.0b2 released ---
 
  948.	[port]		Integrated support for building on Windows NT /
 			Windows 2000.
 
  947.	[bug]		dns_rdata_soa_t had a badly named element "mname" which
 			was really the RNAME field from RFC1035.  To avoid
 			confusion and silent errors that would occur it the
 			"origin" and "mname" elements were given their correct
 			names "mname" and "rname" respectively, the "mname"
 			element is renamed to "contact".
 
  946.	[cleanup]	doc/misc/options is now machine-generated from the
 			configuration parser syntax tables, and therefore
 			more likely to be correct.
 
  945.	[func]		Add the new view-specific options
 			"match-destinations" and "match-recursive-only".
 
  944.	[func]		Check for expired signatures on load.
 
  943.	[bug]		The server could crash when receiving a command
 			via rndc if the configuration file listed only
 			nonexistent keys in the controls statement. [RT #1530]
 
  942.	[port]		libbind: GETNETBYADDR_ADDR_T was not correctly
 			defined on some platforms.
 
  941.	[bug]		The configuration checker crashed if a slave
 			zone didn't contain a masters statement. [RT #1514]
 
  940.	[bug]		Double zone locking failure on error path. [RT #1510]
 
 	--- 9.2.0b1 released ---
 
  939.	[port]		Add the --disable-linux-caps option to configure for
 			systems that manage capabilities outside of named.
 			[RT #1503]
 
  938.	[placeholder]
 
  937.	[bug]		A race when shutting down a zone could trigger a
 			INSIST() failure. [RT #1034]
 
  936.	[func]		Warn about IPv4 addresses that are not complete
 			dotted quads. [RT #1084]
 
  935.	[bug]		inet_pton failed to reject leading zeros.
 
  934.	[port]		Deal with systems where accept() spuriously returns
 			ECONNRESET.
 
  933.	[bug]		configure failed doing libbind on platforms not
 			supported by BIND 8. [RT #1496]
 
 	--- 9.2.0a3 released ---
 
  932.	[bug]		Use INSTALL_SCRIPT, not INSTALL_PROGRAM,
 			when installing isc-config.sh.
 			[RT #198, #1466]
 
  931.	[bug]		The controls statement only attempted to verify
 			messages using the first key in the key list.
 			(9.2.0a1/a2 only).
 
  930.	[func]		Query performance testing tool added as
 			contrib/queryperf.
 
  929.	[placeholder]
 
  928.	[bug]		nsupdate would send empty update packets if the
 			send (or empty line) command was run after
 			another send but before any new updates or
 			prerequisites were specified.  It should simply
 			ignore this command.
 
  927.	[bug]		Don't hold the zone lock for the entire dump to disk.
 			[RT #1423]
 
  926.	[bug]		The resolver could deadlock with the ADB when
 			shutting down (multi-threaded builds only).
 			[RT #1324]
 
  925.	[cleanup]	Remove openssl from the distribution; require that
 			--with-openssl be specified if DNSSEC is needed.
 
  924.	[port]		Extend support for pre-RFC2133 IPv6 implementation.
 			[RT #987]
 
  923.	[bug]		Multiline TSIG secrets (and other multiline strings)
 			were not accepted in named.conf. [RT #1469]
 
  922.	[func]		Added two new lwres_getrrsetbyname() result codes,
 			ERR_NONAME and ERR_NODATA.
 
  921.	[bug]		lwres returned an incorrect error code if it received
 			a truncated message.
 
  920.	[func]		Increase the lwres receive buffer size to 16K.
 			[RT #1451]
 
  919.	[placeholder]
 
  918.	[func]		In nsupdate, TSIG errors are no longer treated as
 			fatal errors.
 
  917.	[func]		New nsupdate command 'key', allowing TSIG keys to
 			be specified in the nsupdate command stream rather
 			than the command line.
 
  916.	[bug]		Specifying type ixfr to dig without specifying
 			a serial number failed in unexpected ways.
 
  915.	[func]		The named-checkconf and named-checkzone programs
 			now have a '-v' option for printing their version.
 			[RT #1151]
 
  914.	[bug]		Global 'server' statements were rejected when
 			using views, even though they were accepted
 			in 9.1. [RT #1368]
 
  913.	[bug]		Cache cleaning was not sufficiently aggressive.
 			[RT #1441, #1444]
 
  912.	[bug]		Attempts to set the 'additional-from-cache' or
 			'additional-from-auth' option to 'no' in a
 			server with recursion enabled will now
 			be ignored and cause a warning message.
 			[RT #1145]
 
  911.	[placeholder]
 
  910.	[port]		Some pre-RFC2133 IPv6 implementations do not define
 			IN6ADDR_ANY_INIT. [RT #1416]
 
  909.	[placeholder]
 
  908.	[func]		New program, rndc-confgen, to simplify setting up rndc.
 
  907.	[func]		The ability to get entropy from either the
 			random device, a user-provided file or from
 			the keyboard was migrated from the DNSSEC tools
 			to libisc as isc_entropy_usebestsource().
 
  906.	[port]		Separated the system independent portion of
 			lib/isc/unix/entropy.c into lib/isc/entropy.c
 			and added lib/isc/win32/entropy.c.
 
  905.	[bug]		Configuring a forward "zone" for the root domain
 			did not work. [RT #1418]
 
  904.	[bug]		The server would leak memory if attempting to use
 			an expired TSIG key. [RT #1406]
 
  903.	[bug]		dig should not crash when receiving a TCP packet
 			of length 0.
 
  902.	[bug]		The -d option was ignored if both -t and -g were also
 			specified.
 
  901.	[placeholder]
 
  900.	[bug]		A config.guess update changed the system identification
 			string of FreeBSD systems; configure and
 			bin/tests/system/ifconfig.sh now recognize the new
 			string.
 
 	--- 9.2.0a2 released ---
 
  899.	[bug]		lib/dns/soa.c failed to compile on many platforms
 			due to inappropriate use of a void value.
 			[RT #1372, #1373, #1386, #1387, #1395]
 
  898.	[bug]		"dig" failed to set a nonzero exit status
 			on UDP query timeout. [RT #1323]
 
  897.	[bug]		A config.guess update changed the system identification
 			string of UnixWare systems; configure now recognizes
 			the new string.
 
  896.	[bug]		If a configuration file is set on named's command line
 			and it has a relative pathname, the current directory
 			(after any possible jailing resulting from named -t)
 			will be prepended to it so that reloading works
 			properly even when a directory option is present.
 
  895.	[func]		New function, isc_dir_current(), akin to POSIX's
 			getcwd().
 
  894.	[bug]		When using the DNSSEC tools, a message intended to warn
 			when the keyboard was being used because of the lack
 			of a suitable random device was not being printed.
 
  893.	[func]		Removed isc_file_test() and added isc_file_exists()
 			for the basic functionality that was being added
 			with isc_file_test().
 
  892.	[placeholder]
 
  891.	[bug]		Return an error when a SIG(0) signed response to
 			an unsigned query is seen.  This should actually
 			do the verification, but it's not currently
 			possible. [RT #1391]
 
  890.	[cleanup]	The man pages no longer require the mandoc macros
 			and should now format cleanly using most versions of
 			nroff, and HTML versions of the man pages have been
 			added.  Both are generated from DocBook source.
 
  889.	[port]		Eliminated blank lines before .TH in nroff man
 			pages since they cause problems with some versions
 			of nroff. [RT #1390]
 
  888.	[bug]		Don't die when using TKEY to delete a nonexistent
 			TSIG key. [RT #1392]
 
  887.	[port]		Detect broken compilers that can't call static
 			functions from inline functions. [RT #1212]
 
  886.	[placeholder]
 
  885.	[placeholder]
 
  884.	[placeholder]
 
  883.	[placeholder]
 
  882.	[placeholder]
 
  881.	[placeholder]
 
  880.	[placeholder]
 
  879.	[placeholder]
 
  878.	[placeholder]
 
  877.	[placeholder]
 
  876.	[placeholder]
 
  875.	[placeholder]
 
  874.	[placeholder]
 
  873.	[placeholder]
 
  872.	[placeholder]
 
  871.	[placeholder]
 
  870.	[placeholder]
 
  869.	[placeholder]
 
  868.	[placeholder]
 
  867.	[placeholder]
 
  866.	[func]		Close debug only file channels when debug is set to
 			zero. [RT #1246]
 
  865.	[bug]		The new configuration parser did not allow
 			the optional debug level in a "severity debug"
 			clause of a logging channel to be omitted.
 			This is now allowed and treated as "severity
 			debug 1;" like it does in BIND 8.2.4, not as
 			"severity debug 0;" like it did in BIND 9.1.
 			[RT #1367]
 
  864.	[cleanup]	Multi-threading is now enabled by default on
 			OSF1, Solaris 2.7 and newer, AIX, IRIX, and HP-UX.
 
  863.	[bug]		If an error occurred while an outgoing zone transfer
 			was starting up, the server could access a domain
 			name that had already been freed when logging a
 			message saying that the transfer was starting.
 			[RT #1383]
 
  862.	[bug]		Use after realloc(), non portable pointer arithmetic in
 			grmerge().
 
  861.	[port]		Add support for Mac OS X, by making it equivalent
 			to Darwin.  This was derived from the config.guess
 			file shipped with Mac OS X. [RT #1355]
 
  860.	[func]		Drop cross class glue in zone transfers.
 
  859.	[bug]		Cache cleaning now won't swamp the CPU if there
 			is a persistent over limit condition.
 
  858.	[func]		isc_mem_setwater() no longer requires that when the
 			callback function is non-NULL then its hi_water
 			argument must be greater than its lo_water argument
 			(they can now be equal) or that they be non-zero.
 
  857.	[cleanup]	Use ISC_MAGIC() to define all magic numbers for
 			structs, for our friends in EBCDIC-land.
 
  856.	[func]		Allow partial rdatasets to be returned in answer and
 			authority sections to help non-TCP capable clients
 			recover from truncation. [RT #1301]
 
  855.	[bug]		Stop spurious "using RFC 1035 TTL semantics" warnings.
 
  854.	[bug]		The config parser didn't properly handle config
 			options that were specified in units of time other
 			than seconds. [RT #1372]
 
  853.	[bug]		configure_view_acl() failed to detach existing acls.
 			[RT #1374]
 
  852.	[bug]		Handle responses from servers which do not know
 			about IXFR.
 
  851.	[cleanup]	The obsolete support-ixfr option was not properly
 			ignored.
 
 	--- 9.2.0a1 released ---
 
  850.	[bug]		dns_rbt_findnode() would not find nodes that were
 			split on a bitstring label somewhere other than in
 			the last label of the node. [RT #1351]
 
  849.	[func]		<isc/net.h> will ensure INADDR_LOOPBACK is defined.
 
  848.	[func]		A minimum max-cache-size of two megabytes is enforced
 			by the cache cleaner.
 
  847.	[func]		Added isc_file_test(), which currently only has
 			some very basic functionality to test for the
 			existence of a file, whether a pathname is absolute,
 			or whether a pathname is the fundamental representation
 			of the current directory.  It is intended that this
 			function can be expanded to test other things a
 			programmer might want to know about a file.
 
  846.	[func]		A non-zero 'param' to dst_key_generate() when making an
 			hmac-md5 key means that good entropy is not required.
 
  845.	[bug]		The access rights on the public file of a symmetric
 			key are now restricted as soon as the file is opened,
 			rather than after it has been written and closed.
 
  844.	[func]		<isc/net.h> will ensure INADDR_LOOPBACK is defined,
 			just as <lwres/net.h> does.
 
  843.	[func]		If no controls statement is present in named.conf,
 			or if any inet phrase of a controls statement is
 			lacking a keys clause, then a key will be automatically
 			generated by named and an rndc.conf-style file
 			named named.key will be written that uses it.  rndc
 			will use this file only if its normal configuration
 			file, or one provided on the command line, does not
 			exist.
 
  842.	[func]		'rndc flush' now takes an optional view.
 
  841.	[bug]		When sdb modules were not declared threadsafe, their
 			create and destroy functions were not serialized.
 
  840.	[bug]		The config file parser could print the wrong file
 			name if an error was detected after an included file
 			was parsed. [RT #1353]
 
  839.	[func]		Dump packets for which there was no view or that the
 			class could not be determined to category "unmatched".
 
  838.	[port]		UnixWare 7.x.x is now suported by
 			bin/tests/system/ifconfig.sh.
 
  837.	[cleanup]	Multi-threading is now enabled by default only on
 			OSF1, Solaris 2.7 and newer, and AIX.
 
  836.	[func]		Upgraded libtool to 1.4.
 
  835.	[bug]		The dispatcher could enter a busy loop if
 			it got an I/O error receiving on a UDP socket.
 			[RT #1293]
 
  834.	[func]		Accept (but warn about) master files beginning with
 			an SOA record without an explicit TTL field and
 			lacking a $TTL directive, by using the SOA MINTTL
 			as a default TTL.  This is for backwards compatibility
 			with old versions of BIND 8, which accepted such
 			files without warning although they are illegal
 			according to RFC1035.
 
  833.	[cleanup]	Moved dns_soa_*() from <dns/journal.h> to
 			<dns/soa.h>, and extended them to support
 			all the integer-valued fields of the SOA RR.
 
  832.	[bug]		The default location for named.conf in named-checkconf
 			should depend on --sysconfdir like it does in named.
 			[RT #1258]
 
  831.	[placeholder]
 
  830.	[func]		Implement 'rndc status'.
 
  829.	[bug]		The DNS_R_ZONECUT result code should only be returned
 			when an ANY query is made with DNS_DBFIND_GLUEOK set.
 			In all other ANY query cases, returning the delegation
 			is better.
 
  828.	[bug]		The errno value from recvfrom() could be overwritten
 			by logging code. [RT #1293]
 
  827.	[bug]		When an IXFR protocol error occurs, the slave
 			should retry with AXFR.
 
  826.	[bug]		Some IXFR protocol errors were not detected.
 
  825.	[bug]		zone.c:ns_query() detached from the wrong zone
 			reference. [RT #1264]
 
  824.	[bug]		Correct line numbers reported by dns_master_load().
 			[RT #1263]
 
  823.	[func]		The output of "dig -h" now goes to stdout so that it
 			can easily be piped through "more". [RT #1254]
 
  822.	[bug]		Sending nxrrset prerequisites would crash nsupdate.
 			[RT #1248]
 
  821.	[bug]		The program name used when logging to syslog should
 			be stripped of leading path components.
 			[RT #1178, #1232]
 
  820.	[bug]		Name server address lookups failed to follow
 			A6 chains into the glue of local authoritative
 			zones.
 
  819.	[bug]		In certain cases, the resolver's attempts to
 			restart an address lookup at the root could cause
 			the fetch to deadlock (with itself) instead of
 			restarting. [RT #1225]
 
  818.	[bug]		Certain pathological responses to ANY queries could
 			cause an assertion failure. [RT #1218]
 
  817.	[func]		Adjust timeouts for dialup zone queries.
 
  816.	[bug]		Report potential problems with log file accessibility
 			at configuration time, since such problems can't
 			reliably be reported at the time they actually occur.
 
  815.	[bug]		If a log file was specified with a path separator
 			character (i.e. "/") in its name and the directory
 			did not exist, the log file's name was treated as
 			though it were the directory name. [RT #1189]
 
  814.	[bug]		Socket objects left over from accept() failures
 			were incorrectly destroyed, causing corruption
 			of socket manager data structures.
 
  813.	[bug]		File descriptors exceeding FD_SETSIZE were handled
 			badly. [RT #1192]
 
  812.	[bug]		dig sometimes printed incomplete IXFR responses
 			due to an uninitialized variable. [RT #1188]
 
  811.	[bug]		Parentheses were not quoted in zone dumps. [RT #1194]
 
  810.	[bug]		The signer name in SIG records was not properly
 			down-cased when signing/verifying records. [RT #1186]
 
  809.	[bug]		Configuring a non-local address as a transfer-source
 			could cause an assertion failure during load.
 
  808.	[func]		Add 'rndc flush' to flush the server's cache.
 
  807.	[bug]		When setting up TCP connections for incoming zone
 			transfers, the transfer-source port was not
 			ignored like it should be.
 
  806.	[bug]		DNS_R_SEENINCLUDE was failing to propagate back up
 			the calling stack to the zone maintenance level,
 			causing zones to not reload when an included file was
 			touched but the top-level zone file was not.
 
  805.	[bug]		When using "forward only", missing root hints should
 			not cause queries to fail. [RT #1143]
 
  804.	[bug]		Attempting to obtain entropy could fail in some
 			situations.  This would be most common on systems
 			with user-space threads. [RT #1131]
 
  803.	[bug]		Treat all SIG queries as if they have the CD bit set,
 			otherwise no data will be returned [RT #749]
 
  802.	[bug]		DNSSEC key tags were computed incorrectly in almost
 			all cases. [RT #1146]
 
  801.	[bug]		nsupdate should treat lines beginning with ';' as
 			comments. [RT #1139]
 
  800.	[bug]		dnssec-signzone produced incorrect statistics for
 			large zones. [RT #1133]
 
  799.	[bug]		The ADB didn't find AAAA glue in a zone unless A6
 			glue was also present.
 
  798.	[bug]		nsupdate should be able to reject bad input lines
 			and continue. [RT #1130]
 
  797.	[func]		Issue a warning if the 'directory' option contains
 			a relative path. [RT #269]
 
  796.	[func]		When a size limit is associated with a log file,
 			only roll it when the size is reached, not every
 			time the log file is opened. [RT #1096]
 
  795.	[func]		Add the +multiline option to dig. [RT #1095]
 
  794.	[func]		Implement the "port" and "default-port" statements
 			in rndc.conf.
 
  793.	[cleanup]	The DNSSEC tools could create filenames that were
 			illegal or contained shell meta-characters.  They
 			now use a different text encoding of names that
 			doesn't have these problems. [RT #1101]
 
  792.	[cleanup]	Replace the OMAPI command channel protocol with a
 			simpler one.
 
  791.	[bug]		The command channel now works over IPv6.
 
  790.	[bug]		Wildcards created using dynamic update or IXFR
 			could fail to match. [RT #1111]
 
  789.	[bug]		The "localhost" and "localnets" ACLs did not match
 			when used as the second element of a two-element
 			sortlist item.
 
  788.	[func]		Add the "match-mapped-addresses" option, which
 			causes IPv6 v4mapped addresses to be treated as
 			IPv4 addresses for the purpose of acl matching.
 
  787.	[bug]		The DNSSEC tools failed to downcase domain
 			names when mapping them into file names.
 
  786.	[bug]		When DNSSEC signing/verifying data, owner names were
 			not properly down-cased.
 
  785.	[bug]		A race condition in the resolver could cause
 			an assertion failure. [RT #673, #872, #1048]
 
  784.	[bug]		nsupdate and other programs would not quit properly
 			if some signals were blocked by the caller. [RT #1081]
 
  783.	[bug]		Following CNAMEs could cause an assertion failure
 			when either using an sdb database or under very
 			rare conditions.
 
  782.	[func]		Implement the "serial-query-rate" option.
 
  781.	[func]		Avoid error packet loops by dropping duplicate FORMERR
 			responses. [RT #1006]
 
  780.	[bug]		Error handling code dealing with out of memory or
 			other rare errors could lead to assertion failures
 			by calling functions on uninitialized names. [RT #1065]
 
  779.	[func]		Added the "minimal-responses" option.
 
  778.	[bug]		When starting cache cleaning, cleaning_timer_action()
 			returned without first pausing the iterator, which
 			could cause deadlock. [RT #998]
 
  777.	[bug]		An empty forwarders list in a zone failed to override
 			global forwarders. [RT #995]
 
  776.	[func]		Improved error reporting in denied messages. [RT #252]
 
  775.	[placeholder]
 
  774.	[func]		max-cache-size is implemented.
 
  773.	[func]		Added isc_rwlock_trylock() to attempt to lock without
 			blocking.
 
  772.	[bug]		Owner names could be incorrectly omitted from cache
 			dumps in the presence of negative caching entries.
 			[RT #991]
 
  771.	[cleanup]	TSIG errors related to unsynchronized clocks
 			are logged better. [RT #919]
 
  770.	[func]		Add the "edns yes_or_no" statement to the server
 			clause. [RT #524]
 
  769.	[func]		Improved error reporting when parsing rdata. [RT #740]
 
  768.	[bug]		The server did not emit an SOA when a CNAME
 			or DNAME chain ended in NXDOMAIN in an
 			authoritative zone.
 
  767.	[placeholder]
 
  766.	[bug]		A few cases in query_find() could leak fname.
 			This would trigger the mpctx->allocated == 0
 			assertion when the server exited.
 			[RT #739, #776, #798, #812, #818, #821, #845,
 			#892, #935, #966]
 
  765.	[func]		ACL names are once again case insensitive, like
 			in BIND 8. [RT #252]
 
  764.	[func]		Configuration files now allow "include" directives
 			in more places, such as inside the "view" statement.
 			[RT #377, #728, #860]
 
  763.	[func]		Configuration files no longer have reserved words.
 			[RT #731, #753]
 
  762.	[cleanup]	The named.conf and rndc.conf file parsers have
 			been completely rewritten.
 
  761.	[bug]		_REENTRANT was still defined when building with
 			--disable-threads.
 
  760.	[contrib]	Significant enhancements to the pgsql sdb driver.
 
  759.	[bug]		The resolver didn't turn off "avoid fetches" mode
 			when restarting, possibly causing resolution
 			to fail when it should not.  This bug only affected
 			platforms which support both IPv4 and IPv6. [RT #927]
 
  758.	[bug]		The "avoid fetches" code did not treat negative
 			cache entries correctly, causing fetches that would
 			be useful to be avoided.  This bug only affected
 			platforms which support both IPv4 and IPv6. [RT #927]
 
  757.	[func]		Log zone transfers.
 
  756.	[bug]		dns_zone_load() could "return" success when no master
 			file was configured.
 
  755.	[bug]		Fix incorrectly formatted log messages in zone.c.
 
  754.	[bug]		Certain failure conditions sending UDP packets
 			could cause the server to retry the transmission
 			indefinitely. [RT #902]
 
  753.	[bug]		dig, host, and nslookup would fail to contact a
 			remote server if getaddrinfo() returned an IPv6
 			address on a system that doesn't support IPv6.
 			[RT #917]
 
  752.	[func]		Correct bad tv_usec elements returned by
 			gettimeofday().
 
  751.	[func]		Log successful zone loads / transfers.  [RT #898]
 
  750.	[bug]		A query should not match a DNAME whose trust level
 			is pending. [RT #916]
 
  749.	[bug]		When a query matched a DNAME in a secure zone, the
 			server did not return the signature of the DNAME.
 			[RT #915]
 
  748.	[doc]		List supported RFCs in doc/misc/rfc-compliance.
 			[RT #781]
 
  747.	[bug]		The code to determine whether an IXFR was possible
 			did not properly check for a database that could
 			not have a journal. [RT #865, #908]
 
  746.	[bug]		The sdb didn't clone rdatasets properly, causing
 			a crash when the server followed delegations. [RT #905]
 
  745.	[func]		Report the owner name of records that fail
 			semantic checks while loading.
 
  744.	[bug]		When returning DNS_R_CNAME or DNS_R_DNAME as the
 			result of an ANY or SIG query, the resolver failed
 			to setup the return event's rdatasets, causing an
 			assertion failure in the query code. [RT #881]
 
  743.	[bug]		Receiving a large number of certain malformed
 			answers could cause named to stop responding.
 			[RT #861]
 
  742.	[placeholder]
 
  741.	[port]		Support openssl-engine. [RT #709]
 
  740.	[port]		Handle openssl library mismatches slightly better.
 
  739.	[port]		Look for /dev/random in configure, rather than
 			assuming it will be there for only a predefined
 			set of OSes.
 
  738.	[bug]		If a non-threadsafe sdb driver supported AXFR and
 			received an AXFR request, it would deadlock or die
 			with an assertion failure. [RT #852]
 
  737.	[port]		stdtime.c failed to compile on certain platforms.
 
  736.	[func]		New functions isc_task_{begin,end}exclusive().
 
  735.	[doc]		Add BIND 4 migration notes.
 
  734.	[bug]		An attempt to re-lock the zone lock could occur if
 			the server was shutdown during a zone transfer.
 			[RT #830]
 
  733.	[bug]		Reference counts of dns_acl_t objects need to be
 			locked but were not. [RT #801, #821]
 
  732.	[bug]		Glue with 0 TTL could also cause SERVFAIL. [RT #828]
 
  731.	[bug]		Certain zone errors could cause named-checkzone to
 			fail ungracefully. [RT #819]
 
  730.	[bug]		lwres_getaddrinfo() returns the correct result when
 			it fails to contact a server. [RT #768]
 
  729.	[port]		pthread_setconcurrency() needs to be called on Solaris.
 
  728.	[bug]		Fix comment processing on master file directives.
 			[RT #757]
 
  727.	[port]		Work around OS bug where accept() succeeds but
 			fails to fill in the peer address of the accepted
 			connection, by treating it as an error rather than
 			an assertion failure. [RT #809]
 
  726.	[func]		Implement the "trace" and "notrace" commands in rndc.
 
  725.	[bug]		Installing man pages could fail.
 
  724.	[func]		New libisc functions isc_netaddr_any(),
 			isc_netaddr_any6().
 
  723.	[bug]		Referrals whose NS RRs had a 0 TTL caused the resolver
 			to return DNS_R_SERVFAIL. [RT #783]
 
  722.	[func]		Allow incremental loads to be canceled.
 
  721.	[cleanup]	Load manager and dns_master_loadfilequota() are no
 			more.
 
  720.	[bug]		Server could enter infinite loop in
 			dispatch.c:do_cancel(). [RT #733]
 
  719.	[bug]		Rapid reloads could trigger an assertion failure.
 			[RT #743, #763]
 
  718.	[cleanup]	"internal" is no longer a reserved word in named.conf.
 			[RT #753, #731]
 
  717.	[bug]		Certain TKEY processing failure modes could
 			reference an uninitialized variable, causing the
 			server to crash. [RT #750]
 
  716.	[bug]		The first line of a $INCLUDE master file was lost if
 			an origin was specified. [RT #744]
 
  715.	[bug]		Resolving some A6 chains could cause an assertion
 			failure in adb.c. [RT #738]
 
  714.	[bug]		Preserve interval timers across reloads unless changed.
 			[RT #729]
 
  713.	[func]		named-checkconf takes '-t directory' similar to named.
 			[RT #726]
 
  712.	[bug]		Sending a large signed update message caused an
 			assertion failure. [RT #718]
 
  711.	[bug]		The libisc and liblwres implementations of
 			inet_ntop contained an off by one error.
 
  710.	[func]		The forwarders statement now takes an optional
 			port. [RT #418]
 
  709.	[bug]		ANY or SIG queries for data with a TTL of 0
 			would return SERVFAIL. [RT #620]
 
  708.	[bug]		When building with --with-openssl, the openssl headers
 			included with BIND 9 should not be used. [RT #702]
 
  707.	[func]		The "filename" argument to named-checkzone is no
 			longer optional, to reduce confusion. [RT #612]
 
  706.	[bug]		Zones with an explicit "allow-update { none; };"
 			were considered dynamic and therefore not reloaded
 			on SIGHUP or "rndc reload".
 
  705.	[port]		Work out resource limit type for use where rlim_t is
 			not available. [RT #695]
 
  704.	[port]		RLIMIT_NOFILE is not available on all platforms.
 			[RT #695]
 
  703.	[port]		sys/select.h is needed on older platforms. [RT #695]
 
  702.	[func]		If the address 0.0.0.0 is seen in resolv.conf,
 			use 127.0.0.1 instead. [RT #693]
 
  701.	[func]		Root hints are now fully optional.  Class IN
 			views use compiled-in hints by default, as
 			before.  Non-IN views with no root hints now
 			provide authoritative service but not recursion.
 			A warning is logged if a view has neither root
 			hints nor authoritative data for the root. [RT #696]
 
  700.	[bug]		$GENERATE range check was wrong. [RT #688]
 
  699.	[bug]		The lexer mishandled empty quoted strings. [RT #694]
 
  698.	[bug]		Aborting nsupdate with ^C would lead to several
 			race conditions.
 
  697.	[bug]		nsupdate was not compatible with the undocumented
 			BIND 8 behavior of ignoring TTLs in "update delete"
 			commands. [RT #693]
 
  696.	[bug]		lwresd would die with an assertion failure when passed
 			a zero-length name. [RT #692]
 
  695.	[bug]		If the resolver attempted to query a blackholed or
 			bogus server, the resolution would fail immediately.
 
  694.	[bug]		$GENERATE did not produce the last entry.
 			[RT #682, #683]
 
  693.	[bug]		An empty lwres statement in named.conf caused
 			the server to crash while loading.
 
  692.	[bug]		Deal with systems that have getaddrinfo() but not
 			gai_strerror(). [RT #679]
 
  691.	[bug]		Configuring per-view forwarders caused an assertion
 			failure. [RT #675, #734]
 
  690.	[func]		$GENERATE now supports DNAME. [RT #654]
 
  689.	[doc]		man pages are now installed. [RT #210]
 
  688.	[func]		"make tags" now works on systems with the
 			"Exuberant Ctags" etags.
 
  687.	[bug]		Only say we have IPv6, with sufficient functionality,
 			if it has actually been tested. [RT #586]
 
  686.	[bug]		dig and nslookup can now be properly aborted during
 			blocking operations. [RT #568]
 
  685.	[bug]		nslookup should use the search list/domain options
 			from resolv.conf by default. [RT #405, #630]
 
  684.	[bug]		Memory leak with view forwarders. [RT #656]
 
  683.	[bug]		File descriptor leak in isc_lex_openfile().
 
  682.	[bug]		nslookup displayed SOA records incorrectly. [RT #665]
 
  681.	[bug]		$GENERATE specifying output format was broken. [RT #653]
 
  680.	[bug]		dns_rdata_fromstruct() mishandled options bigger
 			than 255 octets.
 
  679.	[bug]		$INCLUDE could leak memory and file descriptors on
 			reload. [RT #639]
 
  678.	[bug]		"transfer-format one-answer;" could trigger an assertion
 			failure. [RT #646]
 
  677.	[bug]		dnssec-signzone would occasionally use the wrong ttl
 			for database operations and fail. [RT #643]
 
  676.	[bug]		Log messages about lame servers to category
 			'lame-servers' rather than 'resolver', so as not
 			to be gratuitously incompatible with BIND 8.
 
  675.	[bug]		TKEY queries could cause the server to leak
 			memory.
 
  674.	[func]		Allow messages to be TSIG signed / verified using
 			a offset from the current time.
 
  673.	[func]		The server can now convert RFC1886-style recursive
 			lookup requests into RFC2874-style lookups, when
 			enabled using the new option "allow-v6-synthesis".
 
  672.	[bug]		The wrong time was in the "time signed" field when
 			replying with BADTIME error.
 
  671.	[bug]		The message code was failing to parse a message with
 			no question section and a TSIG record. [RT #628]
 
  670.	[bug]		The lwres replacements for getaddrinfo and
 			getipnodebyname didn't properly check for the
 			existence of the sockaddr sa_len field.
 
  669.	[bug]		dnssec-keygen now makes the public key file
 			non-world-readable for symmetric keys. [RT #403]
 
  668.	[func]		named-checkzone now reports multiple errors in master
 			files.
 
  667.	[bug]		On Linux, running named with the -u option and a
 			non-world-readable configuration file didn't work.
 			[RT #626]
 
  666.	[bug]		If a request sent by dig is longer than 512 bytes,
 			use TCP.
 
  665.	[bug]		Signed responses were not sent when the size of the
 			TSIG + question exceeded the maximum message size.
 			[RT #628]
 
  664.	[bug]		The t_tasks and t_timers module tests are now skipped
 			when building without threads, since they require
 			threads.
 
  663.	[func]		Accept a size_spec, not just an integer, in the
 			(unimplemented and ignored) max-ixfr-log-size option
 			for compatibility with recent versions of BIND 8.
 			[RT #613]
 
  662.	[bug]		dns_rdata_fromtext() failed to log certain errors.
 
  661.	[bug]		Certain UDP IXFR requests caused an assertion failure
 			(mpctx->allocated == 0). [RT #355, #394, #623]
 
  660.	[port]		Detect multiple CPUs on HP-UX and IRIX.
 
  659.	[performance]	Rewrite the name compression code to be much faster.
 
  658.	[cleanup]	Remove all vestiges of 16 bit global compression.
 
  657.	[bug]		When a listen-on statement in an lwres block does not
 			specify a port, use 921, not 53.  Also update the
 			listen-on documentation. [RT #616]
 
  656.	[func]		Treat an unescaped newline in a quoted string as
 			an error.  This means that TXT records with missing
 			close quotes should have meaningful errors printed.
 
  655.	[bug]		Improve error reporting on unexpected eof when loading
 			zones. [RT #611]
 
  654.	[bug]		Origin was being forgotten in TCP retries in dig.
 			[RT #574]
 
  653.	[bug]		+defname option in dig was reversed in sense.
 			[RT #549]
 
  652.	[bug]		zone_saveunique() did not report the new name.
 
  651.	[func]		The AD bit in responses now has the meaning
 			specified in <draft-ietf-dnsext-ad-is-secure>.
 
  650.	[bug]		SIG(0) records were being generated and verified
 			incorrectly. [RT #606]
 
  649.	[bug]		It was possible to join to an already running fctx
 			after it had "cloned" its events, but before it sent
 			them.  In this case, the event of the newly joined
 			fetch would not contain the answer, and would
 			trigger the INSIST() in fctx_sendevents().  In
 			BIND 9.0, this bug did not trigger an INSIST(), but
 			caused the fetch to fail with a SERVFAIL result.
 			[RT #588, #597, #605, #607]
 
  648.	[port]		Add support for pre-RFC2133 IPv6 implementations.
 
  647.	[bug]		Resolver queries sent after following multiple
 			referrals had excessively long retransmission
 			timeouts due to incorrectly counting the referrals
 			as "restarts".
 
  646.	[bug]		The UnixWare ISC_PLATFORM_FIXIN6INADDR fix in isc/net.h
 			didn't _cleanly_ fix the problem it was trying to fix.
 
  645.	[port]		BSD/OS 3.0 needs pthread_init(). [RT #603]
 
  644.	[bug]		#622 needed more work. [RT #562]
 
  643.	[bug]		xfrin error messages made more verbose, added class
 			of the zone. [RT #599]
 
  642.	[bug]		Break the exit_check() race in the zone module.
 			[RT #598]
 
 	--- 9.1.0b2 released ---
 
  641.	[bug]		$GENERATE caused a uninitialized link to be used.
 			[RT #595]
 
  640.	[bug]		Memory leak in error path could cause
 			"mpctx->allocated == 0" failure. [RT #584]
 
  639.	[bug]		Reading entropy from the keyboard would sometimes fail.
 			[RT #591]
 
  638.	[port]		lib/isc/random.c needed to explicitly include time.h
 			to get a prototype for time() when pthreads was not
 			being used. [RT #592]
 
  637.	[port]		Use isc_u?int64_t instead of (unsigned) long long in
 			lib/isc/print.c.  Also allow lib/isc/print.c to
 			be compiled even if the platform does not need it.
 			[RT #592]
 
  636.	[port]		Shut up MSVC++ about a possible loss of precision
 			in the ISC__BUFFER_PUTUINT*() macros. [RT #592]
 
  635.	[bug]		Reloading a server with a configured blackhole list
 			would cause an assertion. [RT #590]
 
  634.	[bug]		A log file will completely stop being written when
 			it reaches the maximum size in all cases, not just
 			when versioning is also enabled. [RT #570]
 
  633.	[port]		Cope with rlim_t missing on BSD/OS systems. [RT #575]
 
  632.	[bug]		The index array of the journal file was
 			corrupted as it was written to disk.
 
  631.	[port]		Build without thread support on systems without
 			pthreads.
 
  630.	[bug]		Locking failure in zone code. [RT #582]
 
  629.	[bug]		9.1.0b1 dereferenced a null pointer and crashed
 			when responding to a UDP IXFR request.
 
  628.	[bug]		If the root hints contained only AAAA addresses,
 			named would be unable to perform resolution.
 
  627.	[bug]		The EDNS0 blackhole detection code of change 324
 			waited for three retransmissions to each server,
 			which takes much too long when a domain has many
 			name servers and all of them drop EDNS0 queries.
 			Now we retry without EDNS0 after three consecutive
 			timeouts, even if they are all from different
 			servers. [RT #143]
 
  626.	[bug]		The lightweight resolver daemon no longer crashes
 			when asked for a SIG rrset. [RT #558]
 
  625.	[func]		Zones now inherit their class from the enclosing view.
 
  624.	[bug]		The zone object could get timer events after it had
 			been destroyed, causing a server crash. [RT #571]
 
  623.	[func]		Added "named-checkconf" and "named-checkzone" program
 			for syntax checking named.conf files and zone files,
 			respectively.
 
  622.	[bug]		A canceled request could be destroyed before
 			dns_request_destroy() was called. [RT #562]
 
  621.	[port]		Disable IPv6 at runtime if IPv6 sockets are unusable.
 			This mostly affects Red Hat Linux 7.0, which has
 			conflicts between libc and the kernel.
 
  620.	[bug]		dns_master_load*inc() now require 'task' and 'load'
 			to be non-null.  Also 'done' will not be called if
 			dns_master_load*inc() fails immediately. [RT #565]
 
  619.	[placeholder]
 
  618.	[bug]		Queries to a signed zone could sometimes cause
 			an assertion failure.
 
  617.	[bug]		When using dynamic update to add a new RR to an
 			existing RRset with a different TTL, the journal
 			entries generated from the update did not include
 			explicit deletions and re-additions of the existing
 			RRs to update their TTL to the new value.
 
  616.	[func]		dnssec-signzone -t output now includes performance
 			statistics.
 
  615.	[bug]		dnssec-signzone did not like child keysets signed
 			by multiple keys.
 
  614.	[bug]		Checks for uninitialized link fields were prone
 			to false positives, causing assertion failures.
 			The checks are now disabled by default and may
 			be re-enabled by defining ISC_LIST_CHECKINIT.
 
  613.	[bug]		"rndc reload zone" now reloads primary zones.
 			It previously only updated slave and stub zones,
 			if an SOA query indicated an out of date serial.
 
  612.	[cleanup]	Shutup a ridiculously noisy HP-UX compiler that
 			complains relentlessly about how its treatment
 			of 'const' has changed as well as how casting
 			sometimes tightens alignment constraints.
 
  611.	[func]		allow-notify can be used to permit processing of
 			notify messages from hosts other than a slave's
 			masters.
 
  610.	[func]		rndc dumpdb is now supported.
 
  609.	[bug]		getrrsetbyname() would crash lwresd if the server
 			found more SIGs than answers. [RT #554]
 
  608.	[func]		dnssec-signzone now adds a comment to the zone
 			with the time the file was signed.
 
  607.	[bug]		nsupdate would fail if it encountered a CNAME or
 			DNAME in a response to an SOA query. [RT #515]
 
  606.	[bug]		Compiling with --disable-threads failed due
 			to isc_thread_self() being incorrectly defined
 			as an integer rather than a function.
 
  605.	[func]		New function isc_lex_getlasttokentext().
 
  604.	[bug]		The named.conf parser could print incorrect line
 			numbers when long comments were present.
 
  603.	[bug]		Make dig handle multiple types or classes on the same
 			query more correctly.
 
  602.	[func]		Cope automatically with UnixWare's broken
 			IN6_IS_ADDR_* macros. [RT #539]
 
  601.	[func]		Return a non-zero exit code if an update fails
 			in nsupdate.
 
  600.	[bug]		Reverse lookups sometimes failed in dig, etc...
 
  599.	[func]		Added four new functions to the libisc log API to
 			support i18n messages.  isc_log_iwrite(),
 			isc_log_ivwrite(), isc_log_iwrite1() and
 			isc_log_ivwrite1() were added.
 
  598.	[bug]		An update-policy statement would cause the server
 			to assert while loading. [RT #536]
 
  597.	[func]		dnssec-signzone is now multi-threaded.
 
  596.	[bug]		DNS_RDATASLAB_FORCE and DNS_RDATASLAB_EXACT are
 			not mutually exclusive.
 
  595.	[port]		On Linux 2.2, socket() returns EINVAL when it
 			should return EAFNOSUPPORT.  Work around this.
 			[RT #531]
 
  594.	[func]		sdb drivers are now assumed to not be thread-safe
 			unless the DNS_SDBFLAG_THREADSAFE flag is supplied.
 
  593.	[bug]		If a secure zone was missing all its NXTs and
 			a dynamic update was attempted, the server entered
 			an infinite loop.
 
  592.	[bug]		The sig-validity-interval option now specifies a
 			number of days, not seconds.  This matches the
 			documentation. [RT #529]
 
 	--- 9.1.0b1 released ---
 
  591.	[bug]		Work around non-reentrancy in openssl by disabling
 			pre-computation in keys.
 
  590.	[doc]		There are now man pages for the lwres library in
 			doc/man/lwres.
 
  589.	[bug]		The server could deadlock if a zone was updated
 			while being transferred out.
 
  588.	[bug]		ctx->in_use was not being correctly initialized when
 			when pushing a file for $INCLUDE. [RT #523]
 
  587.	[func]		A warning is now printed if the "allow-update"
 			option allows updates based on the source IP
 			address, to alert users to the fact that this
 			is insecure and becoming increasingly so as
 			servers capable of update forwarding are being
 			deployed.
 
  586.	[bug]		multiple views with the same name were fatal. [RT #516]
 
  585.	[func]		dns_db_addrdataset() and and dns_rdataslab_merge()
 			now support 'exact' additions in a similar manner to
 			dns_db_subtractrdataset() and dns_rdataslab_subtract().
 
  584.	[func]		You can now say 'notify explicit'; to suppress
 			notification of the servers listed in NS records
 			and notify only those servers listed in the
 			'also-notify' option.
 
  583.	[func]		"rndc querylog" will now toggle logging of
 			queries, like "ndc querylog" in BIND 8.
 
  582.	[bug]		dns_zone_idetach() failed to lock the zone.
 			[RT #199, #463]
 
  581.	[bug]		log severity was not being correctly processed.
 			[RT #485]
 
  580.	[func]		Ignore trailing garbage on incoming DNS packets,
 			for interoperability with broken server
 			implementations. [RT #491]
 
  579.	[bug]		nsupdate did not take a filename to read update from.
 			[RT #492]
 
  578.	[func]		New config option "notify-source", to specify the
 			source address for notify messages.
 
  577.	[func]		Log illegal RDATA combinations. e.g. multiple
 			singleton types, cname and other data.
 
  576.	[doc]		isc_log_create() description did not match reality.
 
  575.	[bug]		isc_log_create() was not setting internal state
 			correctly to reflect the default channels created.
 
  574.	[bug]		TSIG signed queries sent by the resolver would fail to
 			have their responses validated and would leak memory.
 
  573.	[bug]		The journal files of IXFRed slave zones were
 			inadvertently discarded on server reload, causing
 			"journal out of sync with zone" errors on subsequent
 			reloads. [RT #482]
 
  572.	[bug]		Quoted strings were not accepted as key names in
 			address match lists.
 
  571.	[bug]		It was possible to create an rdataset of singleton
 			type which had more than one rdata. [RT #154]
 			[RT #279]
 
  570.	[bug]		rbtdb.c allowed zones containing nodes which had
 			both a CNAME and "other data". [RT #154]
 
  569.	[func]		The DNSSEC AD bit will not be set on queries which
 			have not requested a DNSSEC response.
 
  568.	[func]		Add sample simple database drivers in contrib/sdb.
 
  567.	[bug]		Setting the zone transfer timeout to zero caused an
 			assertion failure. [RT #302]
 
  566.	[func]		New public function dns_timer_setidle().
 
  565.	[func]		Log queries more like BIND 8: query logging is now
 			done to category "queries", level "info". [RT #169]
 
  564.	[func]		Add sortlist support to lwresd.
 
  563.	[func]		New public functions dns_rdatatype_format() and
 			dns_rdataclass_format(), for convenient formatting
 			of rdata type/class mnemonics in log messages.
 
  562.	[cleanup]	Moved lib/dns/*conf.c to bin/named where they belong.
 
  561.	[func]		The 'datasize', 'stacksize', 'coresize' and 'files'
 			clauses of the options{} statement are now implemented.
 
  560.	[bug]		dns_name_split did not properly the resulting prefix
 			when a maximal length bitstring label was split which
 			was preceded by another bitstring label. [RT #429]
 
  559.	[bug]		dns_name_split did not properly create the suffix
 			when splitting within a maximal length bitstring label.
 
  558.	[func]		New functions, isc_resource_getlimit and
 			isc_resource_setlimit.
 
  557.	[func]		Symbolic constants for libisc integral types.
 
  556.	[func]		The DNSSEC OK bit in the EDNS extended flags
 			is now implemented.  Responses to queries without
 			this bit set will not contain any DNSSEC records.
 
  555.	[bug]		A slave server attempting a zone transfer could
 			crash with an assertion failure on certain
 			malformed responses from the master. [RT #457]
 
  554.	[bug]		In some cases, not all of the dnssec tools were
 			properly installed.
 
  553.	[bug]		Incoming zone transfers deferred due to quota
 			were not started when quota was increased but
 			only when a transfer in progress finished. [RT #456]
 
  552.	[bug]		We were not correctly detecting the end of all c-style
 			comments. [RT #455]
 
  551.	[func]		Implemented the 'sortlist' option.
 
  550.	[func]		Support unknown rdata types and classes.
 
  549.	[bug]		"make" did not immediately abort the build when a
 			subdirectory make failed [RT #450].
 
  548.	[func]		The lexer now ungets tokens more correctly.
 
  547.	[placeholder]
 
  546.	[func]		Option 'lame-ttl' is now implemented.
 
  545.	[func]		Name limit and counting options removed from dig;
 			they didn't work properly, and cannot be correctly
 			implemented without significant changes.
 
  544.	[func]		Add statistics option, enable statistics-file option,
 			add RNDC option "dump-statistics" to write out a
 			query statistics file.
 
  543.	[doc]		The 'port' option is now documented.
 
  542.	[func]		Add support for update forwarding as required for
 			full compliance with RFC2136.  It is turned off
 			by default and can be enabled using the
 			'allow-update-forwarding' option.
 
  541.	[func]		Add bogus server support.
 
  540.	[func]		Add dialup support.
 
  539.	[func]		Support the blackhole option.
 
  538.	[bug]		fix buffer overruns by 1 in lwres_getnameinfo().
 
  537.	[placeholder]
 
  536.	[func]		Use transfer-source{-v6} when sending refresh queries.
 			Transfer-source{-v6} now take a optional port
 			parameter for setting the UDP source port.  The port
 			parameter is ignored for TCP.
 
  535.	[func]		Use transfer-source{-v6} when forwarding update
 			requests.
 
  534.	[func]		Ancestors have been removed from RBT chains.  Ancestor
 			information can be discerned via node parent pointers.
 
  533.	[func]		Incorporated name hashing into the RBT database to
 			improve search speed.
 
  532.	[func]		Implement DNS UPDATE pseudo records using
 			DNS_RDATA_UPDATE flag.
 
  531.	[func]		Rdata really should be initialized before being assigned
 			to (dns_rdata_fromwire(), dns_rdata_fromtext(),
 			dns_rdata_clone(), dns_rdata_fromregion()),
 			check that it is.
 
  530.	[func]		New function dns_rdata_invalidate().
 
  529.	[bug]		521 contained a bug which caused zones to always
 			reload.  [RT #410]
 
  528.	[func]		The ISC_LIST_XXXX macros now perform sanity checks
 			on their arguments.  ISC_LIST_XXXXUNSAFE can be use
 			to skip the checks however use with caution.
 
  527.	[func]		New function dns_rdata_clone().
 
  526.	[bug]		nsupdate incorrectly refused to add RRs with a TTL
 			of 0.
 
  525.	[func]		New arguments 'options' for dns_db_subtractrdataset(),
 			and 'flags' for dns_rdataslab_subtract() allowing you
 			to request that the RR's must exist prior to deletion.
 			DNS_R_NOTEXACT is returned if the condition is not met.
 
  524.	[func]		The 'forward' and 'forwarders' statement in
 			non-forward zones should work now.
 
  523.	[doc]		The source to the Administrator Reference Manual is
 			now an XML file using the DocBook DTD, and is included
 			in the distribution.  The plain text version of the
 			ARM is temporarily unavailable while we figure out
 			how to generate readable plain text from the XML.
 
  522.	[func]		The lightweight resolver daemon can now use
 			a real configuration file, and its functionality
 			can be provided by a name server.  Also, the -p and -P
 			options to lwresd have been reversed.
 
  521.	[bug]		Detect master files which contain $INCLUDE and always
 			reload. [RT #196]
 
  520.	[bug]		Upgraded libtool to 1.3.5, which makes shared
 			library builds almost work on AIX (and possibly
 			others).
 
  519.	[bug]		dns_name_split() would improperly split some bitstring
 			labels, zeroing a few of the least significant bits in
 			the prefix part.  When such an improperly created
 			prefix was returned to the RBT database, the bogus
 			label was dutifully stored, corrupting the tree.
 			[RT #369]
 
  518.	[bug]		The resolver did not realize that a DNAME which was
 			"the answer" to the client's query was "the answer",
 			and such queries would fail. [RT #399]
 
  517.	[bug]		The resolver's DNAME code would trigger an assertion
 			if there was more than one DNAME in the chain.
 			[RT #399]
 
  516.	[bug]		Cache lookups which had a NULL node pointer, e.g.
 			those by dns_view_find(), and which would match a
 			DNAME, would trigger an INSIST(!search.need_cleanup)
 			assertion. [RT #399]
 
  515.	[bug]		The ssu table was not being attached / detached
 			by dns_zone_[sg]etssutable. [RT #397]
 
  514.	[func]		Retry refresh and notify queries if they timeout.
 			[RT #388]
 
  513.	[func]		New functionality added to rdnc and server to allow
 			individual zones to be refreshed or reloaded.
 
  512.	[bug]		The zone transfer code could throw an exception with
 			an invalid IXFR stream.
 
  511.	[bug]		The message code could throw an assertion on an
 			out of memory failure. [RT #392]
 
  510.	[bug]		Remove spurious view notify warning. [RT #376]
 
  509.	[func]		Add support for write of zone files on shutdown.
 
  508.	[func]		dns_message_parse() can now do a best-effort
 			attempt, which should allow dig to print more invalid
 			messages.
 
  507.	[func]		New functions dns_zone_flush(), dns_zt_flushanddetach()
 			and dns_view_flushanddetach().
 
  506.	[func]		Do not fail to start on errors in zone files.
 
  505.	[bug]		nsupdate was printing "unknown result code". [RT #373]
 
  504.	[bug]		The zone was not being marked as dirty when updated via
 			IXFR.
 
  503.	[bug]		dumptime was not being set along with
 			DNS_ZONEFLG_NEEDDUMP.
 
  502.	[func]		On a SERVFAIL reply, DiG will now try the next server
 			in the list, unless the +fail option is specified.
 
  501.	[bug]		Incorrect port numbers were being displayed by
 			nslookup. [RT #352]
 
  500.	[func]		Nearly useless +details option removed from DiG.
 
  499.	[func]		In DiG, specifying a class with -c or type with -t
 			changes command-line parsing so that classes and
 			types are only recognized if following -c or -t.
 			This allows hosts with the same name as a class or
 			type to be looked up.
 
  498.	[doc]		There is now a man page for "dig"
 			in doc/man/bin/dig.1.
 
  497.	[bug]		The error messages printed when an IP match list
 			contained a network address with a nonzero host
 			part where not sufficiently detailed. [RT #365]
 
  496.	[bug]		named didn't sanity check numeric parameters. [RT #361]
 
  495.	[bug]		nsupdate was unable to handle large records. [RT #368]
 
  494.	[func]		Do not cache NXDOMAIN responses for SOA queries.
 
  493.	[func]		Return non-cachable (ttl = 0) NXDOMAIN responses
 			for SOA queries.  This makes it easier to locate
 			the containing zone without polluting intermediate
 			caches.
 
  492.	[bug]		attempting to reload a zone caused the server fail
 			to shutdown cleanly. [RT #360]
 
  491.	[bug]		nsupdate would segfault when sending certain
 			prerequisites with empty RDATA. [RT #356]
 
  490.	[func]		When a slave/stub zone has not yet successfully
 			obtained an SOA containing the zone's configured
 			retry time, perform the SOA query retries using
 			exponential backoff. [RT #337]
 
  489.	[func]		The zone manager now has a "i/o" queue.
 
  488.	[bug]		Locks weren't properly destroyed in some cases.
 
  487.	[port]		flockfile() is not defined on all systems.
 
  486.	[bug]		nslookup: "set all" and "server" commands showed
 			the incorrect port number if a port other than 53
 			was specified. [RT #352]
 
  485.	[func]		When dig had more than one server to query, it would
 			send all of the messages at the same time.  Add
 			rate limiting of the transmitted messages.
 
  484.	[bug]		When the server was reloaded after removing addresses
 			from the named.conf "listen-on" statement, sockets
 			were still listening on the removed addresses due
 			to reference count loops. [RT #325]
 
  483.	[bug]		nslookup: "set all" showed a "search" option but it
 			was not settable.
 
  482.	[bug]		nslookup: a plain "server" or "lserver" should be
 			treated as a lookup.
 
  481.	[bug]		nslookup:get_next_command() stack size could exceed
 			per thread limit.
 
  480.	[bug]		strtok() is not thread safe. [RT #349]
 
  479.	[func]		The test suite can now be run by typing "make check"
 			or "make test" at the top level.
 
  478.	[bug]		"make install" failed if the directory specified with
 			--prefix did not already exist.
 
  477.	[bug]		The the isc-config.sh script could be installed before
 			its directory was created. [RT #324]
 
  476.	[bug]		A zone could expire while a zone transfer was in
 			progress triggering a INSIST failure. [RT #329]
 
  475.	[bug]		query_getzonedb() sometimes returned a non-null version
 			on failure.  This caused assertion failures when
 			generating query responses where names subject to
 			additional section processing pointed to a zone
 			to which access had been denied by means of the
 			allow-query option. [RT #336]
 
  474.	[bug]		The mnemonic of the CHAOS class is CH according to
 			RFC1035, but it was printed and read only as CHAOS.
 			We now accept both forms as input, and print it
 			as CH. [RT #305]
 
  473.	[bug]		nsupdate overran the end of the list of name servers
 			when no servers could be reached, typically causing
 			it to print the error message "dns_request_create:
 			not implemented".
 
  472.	[bug]		Off-by-one error caused isc_time_add() to sometimes
 			produce invalid time values.
 
  471.	[bug]		nsupdate didn't compile on HP/UX 10.20
 
  470.	[func]		$GENERATE is now supported.  See also
 			doc/misc/migration.
 
  469.	[bug]		"query-source address * port 53;" now works.
 
  468.	[bug]		dns_master_load*() failed to report file and line
 			number in certain error conditions.
 
  467.	[bug]		dns_master_load*() failed to log an error if
 			pushfile() failed.
 
  466.	[bug]		dns_master_load*() could return success when it failed.
 
  465.	[cleanup]	Allow 0 to be set as an omapi_value_t value by
 			omapi_value_storeint().
 
  464.	[cleanup]	Build with openssl's RSA code instead of dnssafe.
 
  463.	[bug]		nsupdate sent malformed SOA queries to the second
 			and subsequent name servers in resolv.conf if the
 			query sent to the first one failed.
 
  462.	[bug]		--disable-ipv6 should work now.
 
  461.	[bug]		Specifying an unknown key in the "keys" clause of the
 			"controls" statement caused a NULL pointer dereference.
 			[RT #316]
 
  460.	[bug]		Much of the DNSSEC code only worked with class IN.
 
  459.	[bug]		Nslookup processed the "set" command incorrectly.
 
  458.	[bug]		Nslookup didn't properly check class and type values.
 			[RT #305]
 
  457.	[bug]		Dig/host/hslookup didn't properly handle connect
 			timeouts in certain situations, causing an
 			unnecessary warning message to be printed.
 
  456.	[bug]		Stub zones were not resetting the refresh and expire
 			counters, loadtime or clearing the DNS_ZONE_REFRESH
 			(refresh in progress) flag upon successful update.
 			This disabled further refreshing of the stub zone,
 			causing it to eventually expire. [RT #300]
 
  455.	[doc]		Document IPv4 prefix notation does not require a
 			dotted decimal quad but may be just dotted decimal.
 
  454.	[bug]		Enforce dotted decimal and dotted decimal quad where
 			documented as such in named.conf. [RT #304, RT #311]
 
  453.	[bug]		Warn if the obsolete option "maintain-ixfr-base"
 			is specified in named.conf. [RT #306]
 
  452.	[bug]		Warn if the unimplemented option "statistics-file"
 			is specified in named.conf. [RT #301]
 
  451.	[func]		Update forwarding implemented.
 
  450.	[func]		New function ns_client_sendraw().
 
  449.	[bug]		isc_bitstring_copy() only works correctly if the
 			two bitstrings have the same lsb0 value, but this
 			requirement was not documented, nor was there a
 			REQUIRE for it.
 
  448.	[bug]		Host output formatting change, to match v8. [RT #255]
 
  447.	[bug]		Dig didn't properly retry in TCP mode after
 			a truncated reply. [RT #277]
 
  446.	[bug]		Confusing notify log message. [RT #298]
 
  445.	[bug]		Doing a 0 bit isc_bitstring_copy() of an lsb0
 			bitstring triggered a REQUIRE statement.  The REQUIRE
 			statement was incorrect. [RT #297]
 
  444.	[func]		"recursion denied" messages are always logged at
 			debug level 1, now, rather than sometimes at ERROR.
 			This silences these warnings in the usual case, where
 			some clients set the RD bit in all queries.
 
  443.	[bug]		When loading a master file failed because of an
 			unrecognized RR type name, the error message
 			did not include the file name and line number.
 			[RT #285]
 
  442.	[bug]		TSIG signed messages that did not match any view
 			crashed the server. [RT #290]
 
  441.	[bug]		Nodes obscured by a DNAME were inaccessible even
 			when DNS_DBFIND_GLUEOK was set.
 
  440.	[func]		New function dns_zone_forwardupdate().
 
  439.	[func]		New function dns_request_createraw().
 
  438.	[func]		New function dns_message_getrawmessage().
 
  437.	[func]		Log NOTIFY activity to the notify channel.
 
  436.	[bug]		If recvmsg() returned EHOSTUNREACH or ENETUNREACH,
 			which sometimes happens on Linux, named would enter
 			a busy loop.  Also, unexpected socket errors were
 			not logged at a high enough logging level to be
 			useful in diagnosing this situation. [RT #275]
 
  435.	[bug]		dns_zone_dump() overwrote existing zone files
 			rather than writing to a temporary file and
 			renaming.  This could lead to empty or partial
 			zone files being left around in certain error
 			conditions involving the initial transfer of a
 			slave zone, interfering with subsequent server
 			startup. [RT #282]
 
  434.	[func]		New function isc_file_isabsolute().
 
  433.	[func]		isc_base64_decodestring() now accepts newlines
 			within the base64 data.  This makes it possible
 			to break up the key data in a "trusted-keys"
 			statement into multiple lines. [RT #284]
 
  432.	[func]		Added refresh/retry jitter.  The actual refresh/
 			retry time is now a random value between 75% and
 			100% of the configured value.
 
  431.	[func]		Log at ISC_LOG_INFO when a zone is successfully
 			loaded.
 
  430.	[bug]		Rewrote the lightweight resolver client management
 			code to handle shutdown correctly and general
 			cleanup.
 
  429.	[bug]		The space reserved for a TSIG record in a response
 			was 2 bytes too short, leading to message
 			generation failures.
 
  428.	[bug]		rbtdb.c:find_closest_nxt() erroneously returned
 			DNS_R_BADDB for nodes which had neither NXT nor SIG NXT
 			(e.g. glue).  This could cause SERVFAILs when
 			generating negative responses in a secure zone.
 
  427.	[bug]		Avoid going into an infinite loop when the validator
 			gets a negative response to a key query where the
 			records are signed by the missing key.
 
  426.	[bug]		Attempting to generate an oversized RSA key could
 			cause dnssec-keygen to dump core.
 
  425.	[bug]		Warn about the auth-nxdomain default value change
 			if there is no auth-nxdomain statement in the
 			config file. [RT #287]
 
  424.	[bug]		notify_createmessage() could trigger an assertion
 			failure when creating the notify message failed,
 			e.g. due to corrupt zones with multiple SOA records.
 			[RT #279]
 
  423.	[bug]		When responding to a recursive query, errors that occur
 			after following a CNAME should cause the query to fail.
 			[RT #274]
 
  422.	[func]		get rid of isc_random_t, and make isc_random_get()
 			and isc_random_jitter() use rand() internally
 			instead of local state.  Note that isc_random_*()
 			functions are only for weak, non-critical "randomness"
 			such as timing jitter and such.
 
  421.	[bug]		nslookup would exit when given a blank line as input.
 
  420.	[bug]		nslookup failed to implement the "exit" command.
 
  419.	[bug]		The certificate type PKIX was misspelled as SKIX.
 
  418.	[bug]		At debug levels >= 10, getting an unexpected
 			socket receive error would crash the server
 			while trying to log the error message.
 
  417.	[func]		Add isc_app_block() and isc_app_unblock(), which
 			allow an application to handle signals while
 			blocking.
 
  416.	[bug]		Slave zones with no master file tried to use a
 			NULL pointer for a journal file name when they
 			received an IXFR. [RT #273]
 
  415.	[bug]		The logging code leaked file descriptors.
 
  414.	[bug]		Server did not shut down until all incoming zone
 			transfers were finished.
 
  413.	[bug]		Notify could attempt to use the zone database after
 			it had been unloaded. [RT #267]
 
  412.	[bug]		named -v didn't print the version.
 
  411.	[bug]		A typo in the HS A code caused an assertion failure.
 
  410.	[bug]		lwres_gethostbyname() and company set lwres_h_errno
 			to a random value on success.
 
  409.	[bug]		If named was shut down early in the startup
 			process, ns_omapi_shutdown() would attempt to lock
 			an uninitialized mutex. [RT #262]
 
  408.	[bug]		stub zones could leak memory and reference counts if
 			all the masters were unreachable.
 
  407.	[bug]		isc_rwlock_lock() would needlessly block
 			readers when it reached the read quota even
 			if no writers were waiting.
 
  406.	[bug]		Log messages were occasionally lost or corrupted
 			due to a race condition in isc_log_doit().
 
  405.	[func]		Add support for selective forwarding (forward zones)
 
  404.	[bug]		The request library didn't completely work with IPv6.
 
  403.	[bug]		"host" did not use the search list.
 
  402.	[bug]		Treat undefined acls as errors, rather than
 			warning and then later throwing an assertion.
 			[RT #252]
 
  401.	[func]		Added simple database API.
 
  400.	[bug]		SIG(0) signing and verifying was done incorrectly.
 			[RT #249]
 
  399.	[bug]		When reloading the server with a config file
 			containing a syntax error, it could catch an
 			assertion failure trying to perform zone
 			maintenance on, or sending notifies from,
 			tentatively created zones whose views were
 			never fully configured and lacked an address
 			database and request manager.
 
  398.	[bug]		"dig" sometimes caught an assertion failure when
 			using TSIG, depending on the key length.
 
  397.	[func]		Added utility functions dns_view_gettsig() and
 			dns_view_getpeertsig().
 
  396.	[doc]		There is now a man page for "nsupdate"
 			in doc/man/bin/nsupdate.8.
 
  395.	[bug]		nslookup printed incorrect RR type mnemonics
 			for RRs of type >= 21 [RT #237].
 
  394.	[bug]		Current name was not propagated via $INCLUDE.
 
  393.	[func]		Initial answer while loading (awl) support.
 			Entry points: dns_master_loadfileinc(),
 			dns_master_loadstreaminc(), dns_master_loadbufferinc().
 			Note: calls to dns_master_load*inc() should be rate
 			be rate limited so as to not use up all file
 			descriptors.
 
  392.	[func]		Add ISC_R_FAMILYNOSUPPORT.  Returned when OS does
 			not support the given address family requested.
 
  391.	[clarity]	ISC_R_FAMILY -> ISC_R_FAMILYMISMATCH.
 
  390.	[func]		The function dns_zone_setdbtype() now takes
 			an argc/argv style vector of words and sets
 			both the zone database type and its arguments,
 			making the functions dns_zone_adddbarg()
 			and dns_zone_cleardbargs() unnecessary.
 
  389.	[bug]		Attempting to send a request over IPv6 using
 			dns_request_create() on a system without IPv6
 			support caused an assertion failure [RT #235].
 
  388.	[func]		dig and host can now do reverse ipv6 lookups.
 
  387.	[func]		Add dns_byaddr_createptrname(), which converts
 			an address into the name used by a PTR query.
 
  386.	[bug]		Missing strdup() of ACL name caused random
 			ACL matching failures [RT #228].
 
  385.	[cleanup]	Removed functions dns_zone_equal(), dns_zone_print(),
 			and dns_zt_print().
 
  384.	[bug]		nsupdate was incorrectly limiting TTLs to 65535 instead
 			of 2147483647.
 
  383.	[func]		When writing a master file, print the SOA and NS
 			records (and their SIGs) before other records.
 
  382.	[bug]		named -u failed on many Linux systems where the
 			libc provided kernel headers do not match
 			the current kernel.
 
  381.	[bug]		Check for IPV6_RECVPKTINFO and use it instead of
 			IPV6_PKTINFO if found. [RT #229]
 
  380.	[bug]		nsupdate didn't work with IPv6.
 
  379.	[func]		New library function isc_sockaddr_anyofpf().
 
  378.	[func]		named and lwresd will log the command line arguments
 			they were started with in the "starting ..." message.
 
  377.	[bug]		When additional data lookups were refused due to
 			"allow-query", the databases were still being
 			attached causing reference leaks.
 
  376.	[bug]		The server should always use good entropy when
 			performing cryptographic functions needing entropy.
 
  375.	[bug]		Per-zone "allow-query" did not properly override the
 			view/global one for CNAME targets and additional
 			data [RT #220].
 
  374.	[bug]		SOA in authoritative negative responses had wrong TTL.
 
  373.	[func]		nslookup is now installed by "make install".
 
  372.	[bug]		Deal with Microsoft DNS servers appending two bytes of
 			garbage to zone transfer requests.
 
  371.	[bug]		At high debug levels, doing an outgoing zone transfer
 			of a very large RRset could cause an assertion failure
 			during logging.
 
  370.	[bug]		The error messages for roll-forward failures were
 			overly terse.
 
  369.	[func]		Support new named.conf options, view and zone
 			statements:
 
 				max-retry-time, min-retry-time,
 				max-refresh-time, min-refresh-time.
 
  368.	[func]		Restructure the internal ".bind" view so that more
 			zones can be added to it.
 
  367.	[bug]		Allow proper selection of server on nslookup command
 			line.
 
  366.	[func]		Allow use of '-' batch file in dig for stdin.
 
  365.	[bug]		nsupdate -k leaked memory.
 
  364.	[func]		Added additional-from-{cache,auth}
 
  363.	[placeholder]
 
  362.	[bug]		rndc no longer aborts if the configuration file is
 			missing an options statement. [RT #209]
 
  361.	[func]		When the RBT find or chain functions set the name and
 			origin for a node that stores the root label
 			the name is now set to an empty name, instead of ".",
 			to simplify later use of the name and origin by
 			dns_name_concatenate(), dns_name_totext() or
 			dns_name_format().
 
  360.	[func]		dns_name_totext() and dns_name_format() now allow
 			an empty name to be passed, which is formatted as "@".
 
  359.	[bug]		dnssec-signzone occasionally signed glue records.
 
  358.	[cleanup]	Rename the intermediate files used by the dnssec
 			programs.
 
  357.	[bug]		The zone file parser crashed if the argument
 			to $INCLUDE was a quoted string.
 
  356.	[cleanup]	isc_task_send no longer requires event->sender to
 			be non-null.
 
  355.	[func]		Added isc_dir_createunique(), similar to mkdtemp().
 
  354.	[doc]		Man pages for the dnssec tools are now included in
 			the distribution, in doc/man/dnssec.
 
  353.	[bug]		double increment in lwres/gethost.c:copytobuf().
 			[RT #187]
 
  352.	[bug]		Race condition in dns_client_t startup could cause
 			an assertion failure.
 
  351.	[bug]		Constructing a response with rcode SERVFAIL to a TSIG
 			signed query could crash the server.
 
  350.	[bug]		Also-notify lists specified in the global options
 			block were not correctly reference counted, causing
 			a memory leak.
 
  349.	[bug]		Processing a query with the CD bit set now works
 			as expected.
 
  348.	[func]		New boolean named.conf options 'additional-from-auth'
 			and 'additional-from-cache' now supported in view and
 			global options statement.
 
  347.	[bug]		Don't crash if an argument is left off options in dig.
 
  346.	[placeholder]
 
  345.	[bug]		Large-scale changes/cleanups to dig:
 			* Significantly improve structure handling
 			* Don't pre-load entire batch files
 			* Add name/rr counting/limiting
 			* Fix SIGINT handling
 			* Shorten timeouts to match v8's behavior
 
  344.	[bug]		When shutting down, lwresd sometimes tried
 			to shut down its client tasks twice,
 			triggering an assertion.
 
  343.	[bug]		Although zone maintenance SOA queries and
 			notify requests were signed with TSIG keys
 			when configured for the server in case,
 			the TSIG was not verified on the response.
 
  342.	[bug]		The wrong name was being passed to
 			dns_name_dup() when generating a TSIG
 			key using TKEY.
 
  341.	[func]		Support 'key' clause in named.conf zone masters
 			statement to allow authentication via TSIG keys:
 
 				masters {
 					10.0.0.1 port 5353 key "foo";
 					10.0.0.2 ;
 				};
 
  340.	[bug]		The top-level COPYRIGHT file was missing from
 			the distribution.
 
  339.	[bug]		DNSSEC validation of the response to an ANY
 			query at a name with a CNAME RR in a secure
 			zone triggered an assertion failure.
 
  338.	[bug]		lwresd logged to syslog as named, not lwresd.
 
  337.	[bug]		"dig" did not recognize "nsap-ptr" as an RR type
 			on the command line.
 
  336.	[bug]		"dig -f" used 64 k of memory for each line in
 			the file.  It now uses much less, though still
 			proportionally to the file size.
 
  335.	[bug]		named would occasionally attempt recursion when
 			it was disallowed or undesired.
 
  334.	[func]		Added hmac-md5 to libisc.
 
  333.	[bug]		The resolver incorrectly accepted referrals to
 			domains that were not parents of the query name,
 			causing assertion failures.
 
  332.	[func]		New function dns_name_reset().
 
  331.	[bug]		Only log "recursion denied" if RD is set. [RT #178]
 
  330.	[bug]		Many debugging messages were partially formatted
 			even when debugging was turned off, causing a
 			significant decrease in query performance.
 
  329.	[func]		omapi_auth_register() now takes a size_t argument for
 			the length of a key's secret data.  Previously
 			OMAPI only stored secrets up to the first NUL byte.
 
  328.	[func]		Added isc_base64_decodestring().
 
  327.	[bug]		rndc.conf parser wasn't correctly recognizing an IP
 			address where a host specification was required.
 
  326.	[func]		'keys' in an 'inet' control statement is now
 			required and must have at least one item in it.
 			A "not supported" warning is now issued if a 'unix'
 			control channel is defined.
 
  325.	[bug]		isc_lex_gettoken was processing octal strings when
 			ISC_LEXOPT_CNUMBER was not set.
 
  324.	[func]		In the resolver, turn EDNS0 off if there is no
 			response after a number of retransmissions.
 			This is to allow queries some chance of succeeding
 			even if all the authoritative servers of a zone
 			silently discard EDNS0 requests instead of
 			sending an error response like they ought to.
 
  323.	[bug]		dns_rbt_findname() did not ignore empty rbt nodes.
 			Because of this, servers authoritative for a parent
 			and grandchild zone but not authoritative for the
 			intervening child zone did not correctly issue
 			referrals to the servers of the child zone.
 
  322.	[bug]		Queries for KEY RRs are now sent to the parent
 			server before the authoritative one, making
 			DNSSEC insecurity proofs work in many cases
 			where they previously didn't.
 
  321.	[bug]		When synthesizing a CNAME RR for a DNAME
 			response, query_addcname() failed to initialize
 			the type and class of the CNAME dns_rdata_t,
 			causing random failures.
 
  320.	[func]		Multiple rndc changes: parses an rndc.conf file,
 			uses authentication to talk to named, command
 			line syntax changed.  This will all be described
 			in the ARM.
 
  319.	[func]		The named.conf "controls" statement is now used
 			to configure the OMAPI command channel.
 
  318.	[func]		dns_c_ndcctx_destroy() could never return anything
 			except ISC_R_SUCCESS; made it have void return instead.
 
  317.	[func]		Use callbacks from libomapi to determine if a
 			new connection is valid, and if a key requested
 			to be used with that connection is valid.
 
  316.	[bug]		Generate a warning if we detect an unexpected <eof>
 			but treat as <eol><eof>.
 
  315.	[bug]		Handle non-empty blanks lines. [RT #163]
 
  314.	[func]		The named.conf controls statement can now have
 			more than one key specified for the inet clause.
 
  313.	[bug]		When parsing resolv.conf, don't terminate on an
 			error.  Instead, parse as much as possible, but
 			still return an error if one was found.
 
  312.	[bug]		Increase the number of allowed elements in the
 			resolv.conf search path from 6 to 8.  If there
 			are more than this, ignore the remainder rather
 			than returning a failure in lwres_conf_parse.
 
  311.	[bug]		lwres_conf_parse failed when the first line of
 			resolv.conf was empty or a comment.
 
  310.	[func]		Changes to named.conf "controls" statement (inet
 			subtype only)
 
 			  - support "keys" clause
 
 				controls {
 				   inet * port 1024
 					allow { any; } keys { "foo"; }
 				}
 
 			  - allow "port xxx" to be left out of statement,
 			    in which case it defaults to omapi's default port
 			    of 953.
 
  309.	[bug]		When sending a referral, the server did not look
 			for name server addresses as glue in the zone
 			holding the NS RRset in the case where this zone
 			was not the same as the one where it looked for
 			name server addresses as authoritative data.
 
  308.	[bug]		Treat a SOA record not at top of zone as an error
 			when loading a zone. [RT #154]
 
  307.	[bug]		When canceling a query, the resolver didn't check for
 			isc_socket_sendto() calls that did not yet have their
 			completion events posted, so it could (rarely) end up
 			destroying the query context and then want to use
 			it again when the send event posted, triggering an
 			assertion as it tried to cancel an already-canceled
 			query.  [RT #77]
 
  306.	[bug]		Reading HMAC-MD5 private key files didn't work.
 
  305.	[bug]		When reloading the server with a config file
 			containing a syntax error, it could catch an
 			assertion failure trying to perform zone
 			maintenance on tentatively created zones whose
 			views were never fully configured and lacked
 			an address database.
 
  304.	[bug]		If more than LWRES_CONFMAXNAMESERVERS servers
 			are listed in resolv.conf, silently ignore them
 			instead of returning failure.
 
  303.	[bug]		Add additional sanity checks to differentiate a AXFR
 			response vs a IXFR response. [RT #157]
 
  302.	[bug]		In dig, host, and nslookup, MXNAME should be large
 			enough to hold any legal domain name in presentation
 			format + terminating NULL.
 
  301.	[bug]		Uninitialized pointer in host:printmessage(). [RT #159]
 
  300.	[bug]		Using both <isc/net.h> and <lwres/net.h> didn't work
 			on platforms lacking IPv6 because each included their
 			own ipv6 header file for the missing definitions.  Now
 			each library's ipv6.h defines the wrapper symbol of
 			the other (ISC_IPV6_H and LWRES_IPV6_H).
 
  299.	[cleanup]	Get the user and group information before changing the
 			root directory, so the administrator does not need to
 			keep a copy of the user and group databases in the
 			chroot'ed environment.  Suggested by Hakan Olsson.
 
  298.	[bug]		A mutex deadlock occurred during shutdown of the
 			interface manager under certain conditions.
 			Digital Unix systems were the most affected.
 
  297.	[bug]		Specifying a key name that wasn't fully qualified
 			in certain parts of the config file could cause
 			an assertion failure.
 
  296.	[bug]		"make install" from a separate build directory
 			failed unless configure had been run in the source
 			directory, too.
 
  295.	[bug]		When invoked with type==CNAME and a message
 			not constructed by dns_message_parse(),
 			dns_message_findname() failed to find anything
 			due to checking for attribute bits that are set
 			only in dns_message_parse().  This caused an
 			infinite loop when constructing the response to
 			an ANY query at a CNAME in a secure zone.
 
  294.	[bug]		If we run out of space in while processing glue
 			when reading a master file and commit "current name"
 			reverts to "name_current" instead of staying as
 			"name_glue".
 
  293.	[port]		Add support for FreeBSD 4.0 system tests.
 
  292.	[bug]		Due to problems with the way some operating systems
 			handle simultaneous listening on IPv4 and IPv6
 			addresses, the server no longer listens on IPv6
 			addresses by default.  To revert to the previous
 			behavior, specify "listen-on-v6 { any; };" in
 			the config file.
 
  291.	[func]		Caching servers no longer send outgoing queries
 			over TCP just because the incoming recursive query
 			was a TCP one.
 
  290.	[cleanup]	+twiddle option to dig (for testing only) removed.
 
  289.	[cleanup]	dig is now installed in $bindir instead of $sbindir.
 			host is now installed in $bindir.  (Be sure to remove
 			any $sbindir/dig from a previous release.)
 
  288.	[func]		rndc is now installed by "make install" into $sbindir.
 
  287.	[bug]		rndc now works again as "rndc 127.1 reload" (for
 			only that task).  Parsing its configuration file and
 			using digital signatures for authentication has been
 			disabled until named supports the "controls" statement,
 			post-9.0.0.
 
  286.	[bug]		On Solaris 2, when named inherited a signal state
 			where SIGHUP had the SIG_IGN action, SIGHUP would
 			be ignored rather than causing the server to reload
 			its configuration.
 
  285.	[bug]		A change made to the dst API for beta4 inadvertently
 			broke OMAPI's creation of a dst key from an incoming
 			message, causing an assertion to be triggered.  Fixed.
 
  284.	[func]		The DNSSEC key generation and signing tools now
 			generate randomness from keyboard input on systems
 			that lack /dev/random.
 
  283.	[cleanup]	The 'lwresd' program is now a link to 'named'.
 
  282.	[bug]		The lexer now returns ISC_R_RANGE if parsed integer is
 			too big for an unsigned long.
 
  281.	[bug]		Fixed list of recognized config file category names.
 
  280.	[func]		Add isc-config.sh, which can be used to more
 			easily build applications that link with
 			our libraries.
 
  279.	[bug]		Private omapi function symbols shared between
 			two or more files in libomapi.a were not namespace
 			protected using the ISC convention of starting with
 			the library name and two underscores ("omapi__"...)
 
  278.	[bug]		bin/named/logconf.c:category_fromconf() didn't take
 			note of when isc_log_categorybyname() wasn't able
 			to find the category name and would then apply the
 			channel list of the unknown category to all categories.
 
  277.	[bug]		isc_log_categorybyname() and isc_log_modulebyname()
 			would fail to find the first member of any category
 			or module array apart from the internal defaults.
 			Thus, for example, the "notify" category was improperly
 			configured by named.
 
  276.	[bug]		dig now supports maximum sized TCP messages.
 
  275.	[bug]		The definition of lwres_gai_strerror() was missing
 			the lwres_ prefix.
 
  274.	[bug]		TSIG AXFR verify failed when talking to a BIND 8
 			server.
 
  273.	[func]		The default for the 'transfer-format' option is
 			now 'many-answers'.  This will break zone transfers
 			to BIND 4.9.5 and older unless there is an explicit
 			'one-answer' configuration.
 
  272.	[bug]		The sending of large TCP responses was canceled
 			in mid-transmission due to a race condition
 			caused by the failure to set the client object's
 			"newstate" variable correctly when transitioning
 			to the "working" state.
 
  271.	[func]		Attempt to probe the number of cpus in named
 			if unspecified rather than defaulting to 1.
 
  270.	[func]		Allow maximum sized TCP answers.
 
  269.	[bug]		Failed DNSSEC validations could cause an assertion
 			failure by causing clone_results() to be called with
 			with hevent->node == NULL.
 
  268.	[doc]		A plain text version of the Administrator
 			Reference Manual is now included in the distribution,
 			as doc/arm/Bv9ARM.txt.
 
  267.	[func]		Nsupdate is now provided in the distribution.
 
  266.	[bug]		zone.c:save_nsrrset() node was not initialized.
 
  265.	[bug]		dns_request_create() now works for TCP.
 
  264.	[func]		Dispatch can not take TCP sockets in connecting
 			state.  Set DNS_DISPATCHATTR_CONNECTED when calling
 			dns_dispatch_createtcp() for connected TCP sockets
 			or call dns_dispatch_starttcp() when the socket is
 			connected.
 
  263.	[func]		New logging channel type 'stderr'
 
 				channel some-name {
 					stderr;
 					severity error;
 				}
 
  262.	[bug]		'master' was not initialized in zone.c:stub_callback().
 
  261.	[func]		Add dns_zone_markdirty().
 
  260.	[bug]		Running named as a non-root user failed on Linux
 			kernels new enough to support retaining capabilities
 			after setuid().
 
  259.	[func]		New random-device and random-seed-file statements
 			for global options block of named.conf. Both accept
 			a single string argument.
 
  258.	[bug]		Fixed printing of lwres_addr_t.address field.
 
  257.	[bug]		The server detached the last zone manager reference
 			too early, while it could still be in use by queries.
 			This manifested itself as assertion failures during the
 			shutdown process for busy name servers. [RT #133]
 
  256.	[func]		isc_ratelimiter_t now has attach/detach semantics, and
 			isc_ratelimiter_shutdown guarantees that the rate
 			limiter is detached from its task.
 
  255.	[func]		New function dns_zonemgr_attach().
 
  254.	[bug]		Suppress "query denied" messages on additional data
 			lookups.
 
 	--- 9.0.0b4 released ---
 
  253.	[func]		resolv.conf parser now recognizes ';' and '#' as
 			comments (anywhere in line, not just as the beginning).
 
  252.	[bug]		resolv.conf parser mishandled masks on sortlists.
 			It also aborted when an unrecognized keyword was seen,
 			now it silently ignores the entire line.
 
  251.	[bug]		lwresd caught an assertion failure on startup.
 
  250.	[bug]		fixed handling of size+unit when value would be too
 			large for internal representation.
 
  249.	[cleanup]	max-cache-size config option now takes a size-spec
 			like 'datasize', except 'default' is not allowed.
 
  248.	[bug]		global lame-ttl option was not being printed when
 			config structures were written out.
 
  247.	[cleanup]	Rename cache-size config option to max-cache-size.
 
  246.	[func]		Rename global option cachesize to cache-size and
 			add corresponding option to view statement.
 
  245.	[bug]		If an uncompressed name will take more than 255
 			bytes and the buffer is sufficiently long,
 			dns_name_fromwire should return DNS_R_FORMERR,
 			not ISC_R_NOSPACE.  This bug caused cause the
 			server to catch an assertion failure when it
 			received a query for a name longer than 255
 			bytes.
 
  244.	[bug]		empty named.conf file and empty options statement are
 			now parsed properly.
 
  243.	[func]		new cachesize option for named.conf
 
  242.	[cleanup]	fixed incorrect warning about auth-nxdomain usage.
 
  241.	[cleanup]	nscount and soacount have been removed from the
 			dns_master_*() argument lists.
 
  240.	[func]		databases now come in three flavours: zone, cache
 			and stub.
 
  239.	[func]		If ISC_MEM_DEBUG is enabled, the variable
 			isc_mem_debugging controls whether messages
 			are printed or not.
 
  238.	[cleanup]	A few more compilation warnings have been quieted:
 			+ missing sigwait prototype on BSD/OS 4.0/4.0.1.
 			+ PTHREAD_ONCE_INIT unbraced initializer warnings on
 				Solaris 2.8.
 			+ IN6ADDR_ANY_INIT unbraced initializer warnings on
 				BSD/OS 4.*, Linux and Solaris 2.8.
 
  237.	[bug]		If connect() returned ENOBUFS when the resolver was
 			initiating a TCP query, the socket didn't get
 			destroyed, and the server did not shut down cleanly.
 
  236.	[func]		Added new listen-on-v6 config file statement.
 
  235.	[func]		Consider it a config file error if a listen-on
 			statement has an IPv6 address in it, or a
 			listen-on-v6 statement has an IPv4 address in it.
 
  234.	[bug]		Allow a trusted-key's first field (domain-name) be
 			either a quoted or an unquoted string, instead of
 			requiring a quoted string.
 
  233.	[cleanup]	Convert all config structure integer values to unsigned
 			integer (isc_uint32_t) to match grammar.
 
  232.	[bug]		Allow slave zones to not have a file.
 
  231.	[func]		Support new 'port' clause in config file options
 			section. Causes 'listen-on', 'masters' and
 			'also-notify' statements to use its value instead of
 			default (53).
 
  230.	[func]		Replace the dst sign/verify API with a cleaner one.
 
  229.	[func]		Support config file sig-validity-interval statement
 			in options, views and zone statements (master
 			zones only).
 
  228.	[cleanup]	Logging messages in config module stripped of
 			trailing period.
 
  227.	[cleanup]	The enumerated identifiers dns_rdataclass_*,
 			dns_rcode_*, dns_opcode_*, and dns_trust_* are
 			also now cast to their appropriate types, as with
 			dns_rdatatype_* in item number 225 below.
 
  226.	[func]		dns_name_totext() now always prints the root name as
 			'.', even when omit_final_dot is true.
 
  225.	[cleanup]	The enumerated dns_rdatatype_* identifiers are now
 			cast to dns_rdatatype_t via macros of their same name
 			so that they are of the proper integral type wherever
 			a dns_rdatatype_t is needed.
 
  224.	[cleanup]	The entire project builds cleanly with gcc's
 			-Wcast-qual and -Wwrite-strings warnings enabled,
 			which is now the default when using gcc.  (Warnings
 			from confparser.c, because of yacc's code, are
 			unfortunately to be expected.)
 
  223.	[func]		Several functions were re-prototyped to qualify one
 			or more of their arguments with "const".  Similarly,
 			several functions that return pointers now have
 			those pointers qualified with const.
 
  222.	[bug]		The global 'also-notify' option was ignored.
 
  221.	[bug]		An uninitialized variable was sometimes passed to
 			dns_rdata_freestruct() when loading a zone, causing
 			an assertion failure.
 
  220.	[cleanup]	Set the default outgoing port in the view, and
 			set it in sockaddrs returned from the ADB.
 			[31-May-2000 explorer]
 
  219.	[bug]		Signed truncated messages more correctly follow
 			the respective specs.
 
  218.	[func]		When an rdataset is signed, its ttl is normalized
 			based on the signature validity period.
 
  217.	[func]		Also-notify and trusted-keys can now be used in
 			the 'view' statement.
 
  216.	[func]		The 'max-cache-ttl' and 'max-ncache-ttl' options
 			now work.
 
  215.	[bug]		Failures at certain points in request processing
 			could cause the assertion INSIST(client->lockview
 			== NULL) to be triggered.
 
  214.	[func]		New public function isc_netaddr_format(), for
 			formatting network addresses in log messages.
 
  213.	[bug]		Don't leak memory when reloading the zone if
 			an update-policy clause was present in the old zone.
 
  212.	[func]		Added dns_message_get/settsigkey, to make TSIG
 			key management reasonable.
 
  211.	[func]		The 'key' and 'server' statements can now occur
 			inside 'view' statements.
 
  210.	[bug]		The 'allow-transfer' option was ignored for slave
 			zones, and the 'transfers-per-ns' option was
 			was ignored for all zones.
 
  209.	[cleanup]	Upgraded openssl files to new version 0.9.5a
 
  208.	[func]		Added ISC_OFFSET_MAXIMUM for the maximum value
 			of an isc_offset_t.
 
  207.	[func]		The dnssec tools properly use the logging subsystem.
 
  206.	[cleanup]	dst now stores the key name as a dns_name_t, not
 			a char *.
 
  205.	[cleanup]	On IRIX, turn off the mostly harmless warnings 1692
 			("prototyped function redeclared without prototype")
 			and 1552 ("variable ... set but not used") when
 			compiling in the lib/dns/sec/{dnssafe,openssl}
 			directories, which contain code imported from outside
 			sources.
 
  204.	[cleanup]	On HP/UX, pass +vnocompatwarnings to the linker
 			to quiet the warnings that "The linked output may not
 			run on a PA 1.x system."
 
  203.	[func]		notify and zone soa queries are now tsig signed when
 			appropriate.
 
  202.	[func]		isc_lex_getsourceline() changed from returning int
 			to returning unsigned long, the type of its underlying
 			counter.
 
  201.	[cleanup]	Removed the test/sdig program, it has been
 			replaced by bin/dig/dig.
 
 	--- 9.0.0b3 released ---
 
  200.	[bug]		Failures in sending query responses to clients
 			(e.g., running out of network buffers) were
 			not logged.
 
  199.	[bug]		isc_heap_delete() sometimes violated the heap
 			invariant, causing timer events not to be posted
 			when due.
 
  198.	[func]		Dispatch managers hold memory pools which
 			any managed dispatcher may use.  This allows
 			us to avoid dipping into the memory context for
 			most allocations. [19-May-2000 explorer]
 
  197.	[bug]		When an incoming AXFR or IXFR completes, the
 			zone's internal state is refreshed from the
 			SOA data. [19-May-2000 explorer]
 
  196.	[func]		Dispatchers can be shared easily between views
 			and/or interfaces. [19-May-2000 explorer]
 
  195.	[bug]		Including the NXT record of the root domain
 			in a negative response caused an assertion
 			failure.
 
  194.	[doc]		The PDF version of the Administrator's Reference
 			Manual is no longer included in the ISC BIND9
 			distribution.
 
  193.	[func]		changed dst_key_free() prototype.
 
  192.	[bug]		Zone configuration validation is now done at end
 			of config file parsing, and before loading
 			callbacks.
 
  191.	[func]		Patched to compile on UnixWare 7.x.  This platform
 			is not directly supported by the ISC.
 
  190.	[cleanup]	The DNSSEC tools have been moved to a separate
 			directory dnssec/ and given the following new,
 			more descriptive names:
 
 			      dnssec-keygen
 			      dnssec-signzone
 			      dnssec-signkey
 			      dnssec-makekeyset
 
 			Their command line arguments have also been changed to
 			be more consistent.  dnssec-keygen now prints the
 			name of the generated key files (sans extension)
 			on standard output to simplify its use in automated
 			scripts.
 
  189.	[func]		isc_time_secondsastimet(), a new function, will ensure
 			that the number of seconds in an isc_time_t does not
 			exceed the range of a time_t, or return ISC_R_RANGE.
 			Similarly, isc_time_now(), isc_time_nowplusinterval(),
 			isc_time_add() and isc_time_subtract() now check the
 			range for overflow/underflow.  In the case of
 			isc_time_subtract, this changed a calling requirement
 			(ie, something that could generate an assertion)
 			into merely a condition that returns an error result.
 			isc_time_add() and isc_time_subtract() were void-
 			valued before but now return isc_result_t.
 
  188.	[func]		Log a warning message when an incoming zone transfer
 			contains out-of-zone data.
 
  187.	[func]		isc_ratelimiter_enqueue() has an additional argument
 			'task'.
 
  186.	[func]		dns_request_getresponse() has an additional argument
 			'preserve_order'.
 
  185.	[bug]		Fixed up handling of ISC_MEMCLUSTER_LEGACY.  Several
 			public functions did not have an isc__ prefix, and
 			referred to functions that had previously been
 			renamed.
 
  184.	[cleanup]	Variables/functions which began with two leading
 			underscores were made to conform to the ANSI/ISO
 			standard, which says that such names are reserved.
 
  183.	[func]		ISC_LOG_PRINTTAG option for log channels.  Useful
 			for logging the program name or other identifier.
 
  182.	[cleanup]	New command-line parameters for dnssec tools
 
  181.	[func]		Added dst_key_buildfilename and dst_key_parsefilename
 
  180.	[func]		New isc_result_t ISC_R_RANGE.  Supersedes DNS_R_RANGE.
 
  179.	[func]		options named.conf statement *must* now come
 			before any zone or view statements.
 
  178.	[func]		Post-load of named.conf check verifies a slave zone
 			has non-empty list of masters defined.
 
  177.	[func]		New per-zone boolean:
 
 				enable-zone yes | no ;
 
 			intended to let a zone be disabled without having
 			to comment out the entire zone statement.
 
  176.	[func]		New global and per-view option:
 
 				max-cache-ttl number
 
  175.	[func]		New global and per-view option:
 
 				additional-data internal | minimal | maximal;
 
  174.	[func]		New public function isc_sockaddr_format(), for
 			formatting socket addresses in log messages.
 
  173.	[func]		Keep a queue of zones waiting for zone transfer
 			quota so that a new transfer can be dispatched
 			immediately whenever quota becomes available.
 
  172.	[bug]		$TTL directive was sometimes missing from dumped
 			master files because totext_ctx_init() failed to
 			initialize ctx->current_ttl_valid.
 
  171.	[cleanup]	On NetBSD systems, the mit-pthreads or
 			unproven-pthreads library is now always used
 			unless --with-ptl2 is explicitly specified on
 			the configure command line.  The
 			--with-mit-pthreads option is no longer needed
 			and has been removed.
 
  170.	[cleanup]	Remove inter server consistency checks from zone,
 			these should return as a separate module in 9.1.
 			dns_zone_checkservers(), dns_zone_checkparents(),
 			dns_zone_checkchildren(), dns_zone_checkglue().
 
 			Remove dns_zone_setadb(), dns_zone_setresolver(),
 			dns_zone_setrequestmgr() these should now be found
 			via the view.
 
  169.	[func]		ratelimiter can now process N events per interval.
 
  168.	[bug]		include statements in named.conf caused syntax errors
 			due to not consuming the semicolon ending the include
 			statement before switching input streams.
 
  167.	[bug]		Make lack of masters for a slave zone a soft error.
 
  166.	[bug]		Keygen was overwriting existing keys if key_id
 			conflicted, now it will retry, and non-null keys
 			with key_id == 0 are not generated anymore.  Key
 			was not able to generate NOAUTHCONF DSA key,
 			increased RSA key size to 2048 bits.
 
  165.	[cleanup]	Silence "end-of-loop condition not reached" warnings
 			from Solaris compiler.
 
  164.	[func]		Added functions isc_stdio_open(), isc_stdio_close(),
 			isc_stdio_seek(), isc_stdio_read(), isc_stdio_write(),
 			isc_stdio_flush(), isc_stdio_sync(), isc_file_remove()
 			to encapsulate nonportable usage of errno and sync.
 
  163.	[func]		Added result codes ISC_R_FILENOTFOUND and
 			ISC_R_FILEEXISTS.
 
  162.	[bug]		Ensure proper range for arguments to ctype.h functions.
 
  161.	[cleanup]	error in yyparse prototype that only HPUX caught.
 
  160.	[cleanup]	getnet*() are not going to be implemented at this
 			stage.
 
  159.	[func]		Redefinition of config file elements is now an
 			error (instead of a warning).
 
  158.	[bug]		Log channel and category list copy routines
 			weren't assigning properly to output parameter.
 
  157.	[port]		Fix missing prototype for getopt().
 
  156.	[func]		Support new 'database' statement in zone.
 
 				database "quoted-string";
 
  155.	[bug]		ns_notify_start() was not detaching the found zone.
 
  154.	[func]		The signer now logs libdns warnings to stderr even when
 			not verbose, and in a nicer format.
 
  153.	[func]		dns_rdata_tostruct() 'mctx' is now optional.  If 'mctx'
 			is NULL then you need to preserve the 'rdata' until
 			you have finished using the structure as there may be
 			references to the associated memory.  If 'mctx' is
 			non-NULL it is guaranteed that there are no references
 			to memory associated with 'rdata'.
 
 			dns_rdata_freestruct() must be called if 'mctx' was
 			non-NULL and may safely be called if 'mctx' was NULL.
 
  152.	[bug]		keygen dumped core if domain name argument was omitted
 			from command line.
 
  151.	[func]		Support 'disabled' statement in zone config (causes
 			zone to be parsed and then ignored). Currently must
 			come after the 'type' clause.
 
  150.	[func]		Support optional ports in masters and also-notify
 			statements:
 
 				masters [ port xxx ] { y.y.y.y [ port zzz ] ; }
 
  149.	[cleanup]	Removed unused argument 'olist' from
 			dns_c_view_unsetordering().
 
  148.	[cleanup]	Stop issuing some warnings about some configuration
 			file statements that were not implemented, but now are.
 
  147.	[bug]		Changed yacc union size to be smaller for yaccs that
 			put yacc-stack on the real stack.
 
  146.	[cleanup]	More general redundant header file cleanup.  Rather
 			than continuing to itemize every header which changed,
 			this changelog entry just notes that if a header file
 			did not need another header file that it was including
 			in order to provide its advertised functionality, the
 			inclusion of the other header file was removed.  See
 			util/check-includes for how this was tested.
 
  145.	[cleanup]	Added <isc/lang.h> and ISC_LANG_BEGINDECLS/
 			ISC_LANG_ENDDECLS to header files that had function
 			prototypes, and removed it from those that did not.
 
  144.	[cleanup]	libdns header files too numerous to name were made
 			to conform to the same style for multiple inclusion
 			protection.
 
  143.	[func]		Added function dns_rdatatype_isknown().
 
  142.	[cleanup]	<isc/stdtime.h> does not need <time.h> or
 			<isc/result.h>.
 
  141.	[bug]		Corrupt requests with multiple questions could
 			cause an assertion failure.
 
  140.	[cleanup]	<isc/time.h> does not need <time.h> or <isc/result.h>.
 
  139.	[cleanup]	<isc/net.h> now includes <isc/types.h> instead of
 			<isc/int.h> and <isc/result.h>.
 
  138.	[cleanup]	isc_strtouq moved from str.[ch] to string.[ch] and
 			renamed isc_string_touint64.  isc_strsep moved from
 			strsep.c to string.c and renamed isc_string_separate.
 
  137.	[cleanup]	<isc/commandline.h>, <isc/mem.h>, <isc/print.h>
 			<isc/serial.h>, <isc/string.h> and <isc/offset.h>
 			made to conform to the same style for multiple
 			inclusion protection.
 
  136.	[cleanup]	<isc/commandline.h>, <isc/interfaceiter.h>,
 			<isc/net.h> and Win32's <isc/thread.h> needed
 			ISC_LANG_BEGINDECLS/ISC_LANG_ENDDECLS.
 
  135.	[cleanup]	Win32's <isc/condition.h> did not need <isc/result.h>
 			or <isc/boolean.h>, now uses <isc/types.h> in place
 			of <isc/time.h>, and needed ISC_LANG_BEGINDECLS
 			and ISC_LANG_ENDDECLS.
 
  134.	[cleanup]	<isc/dir.h> does not need <limits.h>.
 
  133.	[cleanup]	<isc/ipv6.h> needs <isc/platform.h>.
 
  132.	[cleanup]	<isc/app.h> does not need <isc/task.h>, but does
 			need <isc/eventclass.h>.
 
  131.	[cleanup]	<isc/mutex.h> and <isc/util.h> need <isc/result.h>
 			for ISC_R_* codes used in macros.
 
  130.	[cleanup]	<isc/condition.h> does not need <pthread.h> or
 			<isc/boolean.h>, and now includes <isc/types.h>
 			instead of <isc/time.h>.
 
  129.	[bug]		The 'default_debug' log channel was not set up when
 			'category default' was present in the config file
 
  128.	[cleanup]	<isc/dir.h> had ISC_LANG_BEGINDECLS instead of
 			ISC_LANG_ENDDECLS at end of header.
 
  127.	[cleanup]	The contracts for the comparison routines
 			dns_name_fullcompare(), dns_name_compare(),
 			dns_name_rdatacompare(), and dns_rdata_compare() now
 			specify that the order value returned is < 0, 0, or > 0
 			instead of -1, 0, or 1.
 
  126.	[cleanup]	<isc/quota.h> and <isc/taskpool.h> need <isc/lang.h>.
 
  125.	[cleanup]	<isc/eventclass.h>, <isc/ipv6.h>, <isc/magic.h>,
 			<isc/mutex.h>, <isc/once.h>, <isc/region.h>, and
 			<isc/resultclass.h> do not need <isc/lang.h>.
 
  124.	[func]		signer now imports parent's zone key signature
 			and creates null keys/sets zone status bit for
 			children when necessary
 
  123.	[cleanup]	<isc/event.h> does not need <stddef.h>.
 
  122.	[cleanup]	<isc/task.h> does not need <isc/mem.h> or
 			<isc/result.h>.
 
  121.	[cleanup]	<isc/symtab.h> does not need <isc/mem.h> or
 			<isc/result.h>.  Multiple inclusion protection
 			symbol fixed from ISC_SYMBOL_H to ISC_SYMTAB_H.
 			isc_symtab_t moved to <isc/types.h>.
 
  120.	[cleanup]	<isc/socket.h> does not need <isc/boolean.h>,
 			<isc/bufferlist.h>, <isc/task.h>, <isc/mem.h> or
 			<isc/net.h>.
 
  119.	[cleanup]	structure definitions for generic rdata structures do
 			not have _generic_ in their names.
 
  118.	[cleanup]	libdns.a is now namespace-clean, on NetBSD, excepting
 			YACC crust (yyparse, etc) [2000-apr-27 explorer]
 
  117.	[cleanup]	libdns.a changes:
 			dns_zone_clearnotify() and dns_zone_addnotify()
 			are replaced by dns_zone_setnotifyalso().
 			dns_zone_clearmasters() and dns_zone_addmaster()
 			are replaced by dns_zone_setmasters().
 
  116.	[func]		Added <isc/offset.h> for isc_offset_t (aka off_t
 			on Unix systems).
 
  115.	[port]		Shut up the -Wmissing-declarations warning about
 			<stdio.h>'s __sputaux on BSD/OS pre-4.1.
 
  114.	[cleanup]	<isc/sockaddr.h> does not need <isc/buffer.h> or
 			<isc/list.h>.
 
  113.	[func]		Utility programs dig and host added.
 
  112.	[cleanup]	<isc/serial.h> does not need <isc/boolean.h>.
 
  111.	[cleanup]	<isc/rwlock.h> does not need <isc/result.h> or
 			<isc/mutex.h>.
 
  110.	[cleanup]	<isc/result.h> does not need <isc/boolean.h> or
 			<isc/list.h>.
 
  109.	[bug]		"make depend" did nothing for
 			bin/tests/{db,mem,sockaddr,tasks,timers}/.
 
  108.	[cleanup]	DNS_SETBIT/DNS_GETBIT/DNS_CLEARBIT moved from
 			<dns/types.h> to <dns/bit.h> and renamed to
 			DNS_BIT_SET/DNS_BIT_GET/DNS_BIT_CLEAR.
 
  107.	[func]		Add keysigner and keysettool.
 
  106.	[func]		Allow dnssec verifications to ignore the validity
 			period.  Used by several of the dnssec tools.
 
  105.	[doc]		doc/dev/coding.html expanded with other
 			implicit conventions the developers have used.
 
  104.	[bug]		Made compress_add and compress_find static to
 			lib/dns/compress.c.
 
  103.	[func]		libisc buffer API changes for <isc/buffer.h>:
 			Added:
 				isc_buffer_base(b)          (pointer)
 				isc_buffer_current(b)       (pointer)
 				isc_buffer_active(b)        (pointer)
 				isc_buffer_used(b)          (pointer)
 				isc_buffer_length(b)            (int)
 				isc_buffer_usedlength(b)        (int)
 				isc_buffer_consumedlength(b)    (int)
 				isc_buffer_remaininglength(b)   (int)
 				isc_buffer_activelength(b)      (int)
 				isc_buffer_availablelength(b)   (int)
 			Removed:
 				ISC_BUFFER_USEDCOUNT(b)
 				ISC_BUFFER_AVAILABLECOUNT(b)
 				isc_buffer_type(b)
 			Changed names:
 				isc_buffer_used(b, r) ->
 					isc_buffer_usedregion(b, r)
 				isc_buffer_available(b, r) ->
 					isc_buffer_available_region(b, r)
 				isc_buffer_consumed(b, r) ->
 					isc_buffer_consumedregion(b, r)
 				isc_buffer_active(b, r) ->
 					isc_buffer_activeregion(b, r)
 				isc_buffer_remaining(b, r) ->
 					isc_buffer_remainingregion(b, r)
 
 			Buffer types were removed, so the ISC_BUFFERTYPE_*
 			macros are no more, and the type argument to
 			isc_buffer_init and isc_buffer_allocate were removed.
 			isc_buffer_putstr is now void (instead of isc_result_t)
 			and requires that the caller ensure that there
 			is enough available buffer space for the string.
 
  102.	[port]		Correctly detect inet_aton, inet_pton and inet_ptop
 			on BSD/OS 4.1.
 
  101.	[cleanup]	Quieted EGCS warnings from lib/isc/print.c.
 
  100.	[cleanup]	<isc/random.h> does not need <isc/int.h> or
 			<isc/mutex.h>.  isc_random_t moved to <isc/types.h>.
 
   99.	[cleanup]	Rate limiter now has separate shutdown() and
 			destroy() functions, and it guarantees that all
 			queued events are delivered even in the shutdown case.
 
   98.	[cleanup]	<isc/print.h> does not need <stdarg.h> or <stddef.h>
 			unless ISC_PLATFORM_NEEDVSNPRINTF is defined.
 
   97.	[cleanup]	<isc/ondestroy.h> does not need <stddef.h> or
 			<isc/event.h>.
 
   96.	[cleanup]	<isc/mutex.h> does not need <isc/result.h>.
 
   95.	[cleanup]	<isc/mutexblock.h> does not need <isc/result.h>.
 
   94.	[cleanup]	Some installed header files did not compile as C++.
 
   93.	[cleanup]	<isc/msgcat.h> does not need <isc/result.h>.
 
   92.	[cleanup]	<isc/mem.h> does not need <stddef.h>, <isc/boolean.h>,
 			or <isc/result.h>.
 
   91.	[cleanup]	<isc/log.h> does not need <sys/types.h> or
 			<isc/result.h>.
 
   90.	[cleanup]	Removed unneeded ISC_LANG_BEGINDECLS/ISC_LANG_ENDDECLS
 			from <named/listenlist.h>.
 
   89.	[cleanup]	<isc/lex.h> does not need <stddef.h>.
 
   88.	[cleanup]	<isc/interfaceiter.h> does not need <isc/result.h> or
 			<isc/mem.h>.  isc_interface_t and isc_interfaceiter_t
 			moved to <isc/types.h>.
 
   87.	[cleanup]	<isc/heap.h> does not need <isc/boolean.h>,
 			<isc/mem.h> or <isc/result.h>.
 
   86.	[cleanup]	isc_bufferlist_t moved from <isc/bufferlist.h> to
 			<isc/types.h>.
 
   85.	[cleanup]	<isc/bufferlist.h> does not need <isc/buffer.h>,
 			<isc/list.h>, <isc/mem.h>, <isc/region.h> or
 			<isc/int.h>.
 
   84.	[func]		allow-query ACL checks now apply to all data
 			added to a response.
 
   83.	[func]		If the server is authoritative for both a
 			delegating zone and its (nonsecure) delegatee, and
 			a query is made for a KEY RR at the top of the
 			delegatee, then the server will look for a KEY
 			in the delegator if it is not found in the delegatee.
 
   82.	[cleanup]	<isc/buffer.h> does not need <isc/list.h>.
 
   81.	[cleanup]	<isc/int.h> and <isc/boolean.h> do not need
 			<isc/lang.h>.
 
   80.	[cleanup]	<isc/print.h> does not need <stdio.h> or <stdlib.h>.
 
   79.	[cleanup]	<dns/callbacks.h> does not need <stdio.h>.
 
   78.	[cleanup]	lwres_conftest renamed to lwresconf_test for
 			consistency with other *_test programs.
 
   77.	[cleanup]	typedef of isc_time_t and isc_interval_t moved from
 			<isc/time.h> to <isc/types.h>.
 
   76.	[cleanup]	Rewrote keygen.
 
   75.	[func]		Don't load a zone if its database file is older
 			than the last time the zone was loaded.
 
   74.	[cleanup]	Removed mktemplate.o and ufile.o from libisc.a,
 			subsumed by file.o.
 
   73.	[func]		New "file" API in libisc, including new function
 			isc_file_getmodtime, isc_mktemplate renamed to
 			isc_file_mktemplate and isc_ufile renamed to
 			isc_file_openunique.  By no means an exhaustive API,
 			it is just what's needed for now.
 
   72.	[func]		DNS_RBTFIND_NOPREDECESSOR and DNS_RBTFIND_NOOPTIONS
 			added for dns_rbt_findnode, the former to disable the
 			setting of the chain to the predecessor, and the
 			latter to make clear when no options are set.
 
   71.	[cleanup]	Made explicit the implicit REQUIREs of
 			isc_time_seconds, isc_time_nanoseconds, and
 			isc_time_subtract.
 
   70.	[func]		isc_time_set() added.
 
   69.	[bug]		The zone object's master and also-notify lists grew
 			longer with each server reload.
 
   68.	[func]		Partial support for SIG(0) on incoming messages.
 
   67.	[performance]	Allow use of alternate (compile-time supplied)
 			OpenSSL libraries/headers.
 
   66.	[func]		Data in authoritative zones should have a trust level
 			beyond secure.
 
   65.	[cleanup]	Removed obsolete typedef of dns_zone_callbackarg_t
 			from <dns/types.h>.
 
   64.	[func]		The RBT, DB, and zone table APIs now allow the
 			caller find the most-enclosing superdomain of
 			a name.
 
   63.	[func]		Generate NOTIFY messages.
 
   62.	[func]		Add UDP refresh support.
 
   61.	[cleanup]	Use single quotes consistently in log messages.
 
   60.	[func]		Catch and disallow singleton types on message
 			parse.
 
   59.	[bug]		Cause net/host unreachable to be a hard error
 			when sending and receiving.
 
   58.	[bug]		bin/named/query.c could sometimes trigger the
 			(client->query.attributes & NS_QUERYATTR_NAMEBUFUSED)
 			== 0 assertion in query_newname().
 
   57.	[func]		Added dns_nxt_typepresent()
 
   56.	[bug]		SIG records were not properly returned in cached
 			negative answers.
 
   55.	[bug]		Responses containing multiple names in the authority
 			section were not negatively cached.
 
   54.	[bug]		If a fetch with sigrdataset==NULL joined one with
 			sigrdataset!=NULL or vice versa, the resolver
 			could catch an assertion or lose signature data,
 			respectively.
 
   53.	[port]		freebsd 4.0: lib/isc/unix/socket.c requires
 			<sys/param.h>.
 
   52.	[bug]		rndc: taskmgr and socketmgr were not initialized
 			to NULL.
 
   51.	[cleanup]	dns/compress.h and dns/zt.h did not need to include
 			dns/rbt.h; it was needed only by compress.c and zt.c.
 
   50.	[func]		RBT deletion no longer requires a valid chain to work,
 			and dns_rbt_deletenode was added.
 
   49.	[func]		Each cache now has its own mctx.
 
   48.	[func]		isc_task_create() no longer takes an mctx.
 			isc_task_mem() has been eliminated.
 
   47.	[func]		A number of modules now use memory context reference
 			counting.
 
   46.	[func]		Memory contexts are now reference counted.
 			Added isc_mem_inuse() and isc_mem_preallocate().
 			Renamed isc_mem_destroy_check() to
 			isc_mem_setdestroycheck().
 
   45.	[bug]		The trusted-key statement incorrectly loaded keys.
 
   44.	[bug]		Don't include authority data if it would force us
 			to unset the AD bit in the message.
 
   43.	[bug]		DNSSEC verification of cached rdatasets was failing.
 
   42.	[cleanup]	Simplified logging of messages with embedded domain
 			names by introducing a new convenience function
 			dns_name_format().
 
   41.	[func]		Use PR_SET_KEEPCAPS on Linux 2.3.99-pre3 and later
 			to allow 'named' to run as a non-root user while
 			retaining the ability to bind() to privileged
 			ports.
 
   40.	[func]		Introduced new logging category "dnssec" and
 			logging module "dns/validator".
 
   39.	[cleanup]	Moved the typedefs for isc_region_t, isc_textregion_t,
 			and isc_lex_t to <isc/types.h>.
 
   38.	[bug]		TSIG signed incoming zone transfers work now.
 
   37.	[bug]		If the first RR in an incoming zone transfer was
 			not an SOA, the server died with an assertion failure
 			instead of just reporting an error.
 
   36.	[cleanup]	Change DNS_R_SUCCESS (and others) to ISC_R_SUCCESS
 
   35.	[performance]	Log messages which are of a level too high to be
 			logged by any channel in the logging configuration
 			will not cause the log mutex to be locked.
 
   34.	[bug]		Recursion was allowed even with 'recursion no'.
 
   33.	[func]		The RBT now maintains a parent pointer at each node.
 
   32.	[cleanup]	bin/lwresd/client.c needs <string.h> for memset()
 			prototype.
 
   31.	[bug]		Use ${LIBTOOL} to compile bin/named/main.@O@.
 
   30.	[func]		config file grammar change to support optional
 			class type for a view.
 
   29.	[func]		support new config file view options:
 
 				auth-nxdomain recursion query-source
 				query-source-v6 transfer-source
 				transfer-source-v6 max-transfer-time-out
 				max-transfer-idle-out transfer-format
 				request-ixfr provide-ixfr cleaning-interval
 				fetch-glue notify rfc2308-type1 lame-ttl
 				max-ncache-ttl min-roots
 
   28.	[func]		support lame-ttl, min-roots and serial-queries
 			config global options.
 
   27.	[bug]		Only include <netinet6/in6.h> on BSD/OS 4.[01]*.
 			Including it on other platforms (eg, NetBSD) can
 			cause a forced #error from the C preprocessor.
 
   26.	[func]		new match-clients statement in config file view.
 
   25.	[bug]		make install failed to install <isc/log.h> and
 			<isc/ondestroy.h>.
 
   24.	[cleanup]	Eliminate some unnecessary #includes of header
 			files from header files.
 
   23.	[cleanup]	Provide more context in log messages about client
 			requests, using a new function ns_client_log().
 
   22.	[bug]		SIGs weren't returned in the answer section when
 			the query resulted in a fetch.
 
   21.	[port]		Look at STD_CINCLUDES after CINCLUDES during
 			compilation, so additional system include directories
 			can be searched but header files in the bind9 source
 			tree with conflicting names take precedence.  This
 			avoids issues with installed versions of dnssafe and
 			openssl.
 
   20.	[func]		Configuration file post-load validation of zones
 			failed if there were no zones.
 
   19.	[bug]		dns_zone_notifyreceive() failed to unlock the zone
 			lock in certain error cases.
 
   18.	[bug]		Use AC_TRY_LINK rather than AC_TRY_COMPILE in
 			configure.in to check for presence of in6addr_any.
 
   17.	[func]		Do configuration file post-load validation of zones.
 
   16.	[bug]		put quotes around key names on config file
 			output to avoid possible keyword clashes.
 
   15.	[func]		Add dns_name_dupwithoffsets().  This function is
 			improves comparison performance for duped names.
 
   14.	[bug]		free_rbtdb() could have 'put' unallocated memory in
 			an unlikely error path.
 
   13.	[bug]		lib/dns/master.c and lib/dns/xfrin.c didn't ignore
 			out-of-zone data.
 
   12.	[bug]		Fixed possible uninitialized variable error.
 
   11.	[bug]		axfr_rrstream_first() didn't check the result code of
 			db_rr_iterator_first(), possibly causing an assertion
 			to be triggered later.
 
   10.	[bug]		A bug in the code which makes EDNS0 OPT records in
 			bin/named/client.c and lib/dns/resolver.c could
 			trigger an assertion.
 
    9.	[cleanup]	replaced bit-setting code in confctx.c and replaced
 			repeated code with macro calls.
 
    8.	[bug]		Shutdown of incoming zone transfer accessed
 			freed memory.
 
    7.	[cleanup]	removed 'listen-on' from view statement.
 
    6.	[bug]		quote RR names when generating config file to
 			prevent possible clash with config file keywords
 			(such as 'key').
 
    5.	[func]		syntax change to named.conf file: new ssu grant/deny
 			statements must now be enclosed by an 'update-policy'
 			block.
 
    4.	[port]		bin/named/unix/os.c didn't compile on systems with
 			linux 2.3 kernel includes due to conflicts between
 			C library includes and the kernel includes.  We now
 			get only what we need from <linux/capability.h>, and
 			avoid pulling in other linux kernel .h files.
 
    3.	[bug]		TKEYs go in the answer section of responses, not
 			the additional section.
 
    2.	[bug]		Generating cryptographic randomness failed on
 			systems without /dev/random.
 
    1.	[bug]		The installdirs rule in
 			lib/isc/unix/include/isc/Makefile.in had a typo which
 			prevented the isc directory from being created if it
 			didn't exist.
 
 	--- 9.0.0b2 released ---
 
 # This tells Emacs to use hard tabs in this file.
 # Local Variables:
 # indent-tabs-mode: t
 # End:
Index: stable/9/contrib/bind9/README
===================================================================
--- stable/9/contrib/bind9/README	(revision 286123)
+++ stable/9/contrib/bind9/README	(revision 286124)
@@ -1,430 +1,439 @@
 BIND 9
 
 	BIND version 9 is a major rewrite of nearly all aspects of the
 	underlying BIND architecture.  Some of the important features of
 	BIND 9 are:
 
 		- DNS Security
 			DNSSEC (signed zones)
 			TSIG (signed DNS requests)
 
 		- IP version 6
 			Answers DNS queries on IPv6 sockets
 			IPv6 resource records (AAAA)
 			Experimental IPv6 Resolver Library
 
 		- DNS Protocol Enhancements
 			IXFR, DDNS, Notify, EDNS0
 			Improved standards conformance
 
 		- Views
 			One server process can provide multiple "views" of
 			the DNS namespace, e.g. an "inside" view to certain
 			clients, and an "outside" view to others.
 
 		- Multiprocessor Support
 
 		- Improved Portability Architecture
 
 
 	BIND version 9 development has been underwritten by the following
 	organizations:
 
 		Sun Microsystems, Inc.
 		Hewlett Packard
 		Compaq Computer Corporation
 		IBM
 		Process Software Corporation
 		Silicon Graphics, Inc.
 		Network Associates, Inc.
 		U.S. Defense Information Systems Agency
 		USENIX Association
 		Stichting NLnet - NLnet Foundation
 		Nominum, Inc.
 
 	For a summary of functional enhancements in previous
 	releases, see the HISTORY file.
 
 	For a detailed list of user-visible changes from
 	previous releases, see the CHANGES file.
 
 	For up-to-date release notes and errata, see
 	http://www.isc.org/software/bind9/releasenotes
 
+BIND 9.9.7-P2
+
+       BIND 9.9.7-P1 is a security release addressing the flaw
+       described in CVE-2015-5477.
+
+BIND 9.9.7-P1
+
+       BIND 9.9.7-P1 is a security release addressing the flaw
+       described in CVE-2015-4620.
 
 BIND 9.9.7
 
 	BIND 9.9.7 is a maintenance release and addresses bugs
 	found in BIND 9.9.6 and earlier, as well as the security
 	flaws described in CVE-2014-8500 and CVE-2015-1349.
 
 BIND 9.9.6
 
 	BIND 9.9.6 is a maintenance release, and also includes
 	the following new functionality.
 
 	 - The former behavior with respect to capitalization of names
 	   (prior to BIND 9.9.5) can be restored for specific clients via
 	   the new "no-case-compress" ACL.
 
 BIND 9.9.5
 
 	BIND 9.9.5 is a maintenance release, and patches the security
 	flaws described in CVE-2013-6320 and CVE-2014-0591.  It also
 	includes the following functional enhancements:
 
 	 - "named" now preserves the capitalization of names when
 	   responding to queries.
 	 - new "dnssec-importkey" command allows the use of offline
 	   DNSSEC keys with automatic DNSKEY management.
 	 - When re-signing a zone, the new "dnssec-signzone -Q" option
 	   drops signatures from keys that are still published but are
 	   no longer active.
 	 - "named-checkconf -px" will print the contents of configuration
 	   files with the shared secrets obscured, making it easier to
 	   share configuration (e.g. when submitting a bug report)
 	   without revealing private information.
 
 BIND 9.9.4
 
 	BIND 9.9.4 is a maintenance release, and patches the security
 	flaws described in CVE-2013-3919 and CVE-2013-4854. It also
 	introduces DNS Response Rate Limiting (DNS RRL) as a
 	compile-time option. To use this feature, configure with
 	the "--enable-rrl" option.
 
 BIND 9.9.3
 
 	BIND 9.9.3 is a maintenance release and patches the security
 	flaws described in CVE-2012-5688, CVE-2012-5689 and CVE-2013-2266.
 
 BIND 9.9.2
 
 	BIND 9.9.2 is a maintenance release and patches the security
 	flaw described in CVE-2012-4244.
 
 BIND 9.9.1
 
 	BIND 9.9.1 is a maintenance release.
 
 BIND 9.9.0
 
 	BIND 9.9.0 includes a number of changes from BIND 9.8 and earlier
 	releases.  New features include:
 
 	- Inline signing, allowing automatic DNSSEC signing of
 	  master zones without modification of the zonefile, or 
 	  "bump in the wire" signing in slaves.
 	- NXDOMAIN redirection.
 	- New 'rndc flushtree' command clears all data under a given
 	  name from the DNS cache.
 	- New 'rndc sync' command dumps pending changes in a dynamic
 	  zone to disk without a freeze/thaw cycle.
 	- New 'rndc signing' command displays or clears signing status
 	  records in 'auto-dnssec' zones.
 	- NSEC3 parameters for 'auto-dnssec' zones can now be set prior
 	  to signing, eliminating the need to initially sign with NSEC.
 	- Startup time improvements on large authoritative servers.
 	- Slave zones are now saved in raw format by default.
 	- Several improvements to response policy zones (RPZ).
 	- Improved hardware scalability by using multiple threads
 	  to listen for queries and using finer-grained client locking
 	- The 'also-notify' option now takes the same syntax as
 	  'masters', so it can used named masterlists and TSIG keys.
 	- 'dnssec-signzone -D' writes an output file containing only DNSSEC
 	  data, which can be included by the primary zone file.
 	- 'dnssec-signzone -R' forces removal of signatures that are
 	  not expired but were created by a key which no longer exists.
 	- 'dnssec-signzone -X' allows a separate expiration date to
 	  be specified for DNSKEY signatures from other signatures.
 	- New '-L' option to dnssec-keygen, dnssec-settime, and
 	  dnssec-keyfromlabel sets the default TTL for the key.
 	- dnssec-dsfromkey now supports reading from standard input,
 	  to make it easier to convert DNSKEY to DS.
 	- RFC 1918 reverse zones have been added to the empty-zones
 	  table per RFC 6303.
 	- Dynamic updates can now optionally set the zone's SOA serial
 	  number to the current UNIX time.
 	- DLZ modules can now retrieve the source IP address of
 	  the querying client.
 	- 'request-ixfr' option can now be set at the per-zone level.
 	- 'dig +rrcomments' turns on comments about DNSKEY records,
 	  indicating their key ID, algorithm and function
 	- Simplified nsupdate syntax and added readline support
 
 Building
 
 	BIND 9 currently requires a UNIX system with an ANSI C compiler,
 	basic POSIX support, and a 64 bit integer type.
 
 	We've had successful builds and tests on the following systems:
 
 		COMPAQ Tru64 UNIX 5.1B
 		Fedora Core 6
 		FreeBSD 4.10, 5.2.1, 6.2
 		HP-UX 11.11
 		Mac OS X 10.5
 		NetBSD 3.x, 4.0-beta, 5.0-beta
 		OpenBSD 3.3 and up
 		Solaris 8, 9, 9 (x86), 10
 		Ubuntu 7.04, 7.10
 		Windows XP/2003/2008
 
 	NOTE:  As of BIND 9.5.1, 9.4.3, and 9.3.6, older versions of
 	Windows, including Windows NT and Windows 2000, are no longer
 	supported.
 
 	We have recent reports from the user community that a supported
 	version of BIND will build and run on the following systems:
 
 		AIX 4.3, 5L
 		CentOS 4, 4.5, 5
 		Darwin 9.0.0d1/ARM
 		Debian 4, 5, 6
 		Fedora Core 5, 7, 8
 		FreeBSD 6, 7, 8
 		HP-UX 11.23 PA
 		MacOS X 10.5, 10.6, 10.7
 		Red Hat Enterprise Linux 4, 5, 6
 		SCO OpenServer 5.0.6
 		Slackware 9, 10
 		SuSE 9, 10
 
 	To build, just
 
 		./configure
 		make
 
 	Do not use a parallel "make".
 
 	Several environment variables that can be set before running
 	configure will affect compilation:
 
 	    CC
 		The C compiler to use.	configure tries to figure
 		out the right one for supported systems.
 
 	    CFLAGS
 		C compiler flags.  Defaults to include -g and/or -O2
 		as supported by the compiler.  Please include '-g'
 		if you need to set CFLAGS.
 
 	    STD_CINCLUDES
 		System header file directories.	 Can be used to specify
 		where add-on thread or IPv6 support is, for example.
 		Defaults to empty string.
 
 	    STD_CDEFINES
 		Any additional preprocessor symbols you want defined.
 		Defaults to empty string.
 
 		Possible settings:
 		Change the default syslog facility of named/lwresd.
 		  -DISC_FACILITY=LOG_LOCAL0	
 		Enable DNSSEC signature chasing support in dig.
 		  -DDIG_SIGCHASE=1 (sets -DDIG_SIGCHASE_TD=1 and
 				    -DDIG_SIGCHASE_BU=1)
 		Disable dropping queries from particular well known ports.
 		  -DNS_CLIENT_DROPPORT=0
 		Sibling glue checking in named-checkzone is enabled by default.
 		To disable the default check set.  -DCHECK_SIBLING=0
 		named-checkzone checks out-of-zone addresses by default.
 		To disable this default set.  -DCHECK_LOCAL=0
 		To create the default pid files in ${localstatedir}/run rather
 		than ${localstatedir}/run/{named,lwresd}/ set.
 		  -DNS_RUN_PID_DIR=0
 		Enable workaround for Solaris kernel bug about /dev/poll
 		  -DISC_SOCKET_USE_POLLWATCH=1
 		  The watch timeout is also configurable, e.g.,
 		  -DISC_SOCKET_POLLWATCH_TIMEOUT=20
 
 	    LDFLAGS
 		Linker flags. Defaults to empty string.
 
 	The following need to be set when cross compiling.
 
 	    BUILD_CC
 		The native C compiler.
 	    BUILD_CFLAGS (optional)
 	    BUILD_CPPFLAGS (optional)
 		Possible Settings:
 		-DNEED_OPTARG=1		(optarg is not declared in <unistd.h>)
 	    BUILD_LDFLAGS (optional)
 	    BUILD_LIBS (optional)
 
 	To build shared libraries, specify "--with-libtool" on the
 	configure command line.
 
 	For the server to support DNSSEC, you need to build it
 	with crypto support.  You must have OpenSSL 0.9.5a
 	or newer installed and specify "--with-openssl" on the
 	configure command line.  If OpenSSL is installed under
 	a nonstandard prefix, you can tell configure where to
 	look for it using "--with-openssl=/prefix".
 
 	On some platforms it is necessary to explictly request large
 	file support to handle files bigger than 2GB.  This can be
 	done by "--enable-largefile" on the configure command line.
 
 	On some platforms, BIND 9 can be built with multithreading
 	support, allowing it to take advantage of multiple CPUs.
 	You can specify whether to build a multithreaded BIND 9 
 	by specifying "--enable-threads" or "--disable-threads"
 	on the configure command line.  The default is operating
 	system dependent.
 
 	Support for the "fixed" rrset-order option can be enabled
 	or disabled by specifying "--enable-fixed-rrset" or
 	"--disable-fixed-rrset" on the configure command line.
 	The default is "disabled", to reduce memory footprint.
 
 	If your operating system has integrated support for IPv6, it
 	will be used automatically.  If you have installed KAME IPv6
 	separately, use "--with-kame[=PATH]" to specify its location.
 
 	"make install" will install "named" and the various BIND 9 libraries.
 	By default, installation is into /usr/local, but this can be changed
 	with the "--prefix" option when running "configure".
 
 	You may specify the option "--sysconfdir" to set the directory 
 	where configuration files like "named.conf" go by default,
 	and "--localstatedir" to set the default parent directory
 	of "run/named.pid".   For backwards compatibility with BIND 8,
 	--sysconfdir defaults to "/etc" and --localstatedir defaults to
 	"/var" if no --prefix option is given.  If there is a --prefix
 	option, sysconfdir defaults to "$prefix/etc" and localstatedir
 	defaults to "$prefix/var".
 
 	To see additional configure options, run "configure --help".
 	Note that the help message does not reflect the BIND 8 
 	compatibility defaults for sysconfdir and localstatedir.
 
 	If you're planning on making changes to the BIND 9 source, you
 	should also "make depend".  If you're using Emacs, you might find
 	"make tags" helpful.
 
 	If you need to re-run configure please run "make distclean" first.
 	This will ensure that all the option changes take.
 
 	Building with gcc is not supported, unless gcc is the vendor's usual
 	compiler (e.g. the various BSD systems, Linux).
 	
 	Known compiler issues:
 	* gcc-3.2.1 and gcc-3.1.1 is known to cause problems with solaris-x86.
 	* gcc prior to gcc-3.2.3 ultrasparc generates incorrect code at -02.
 	* gcc-3.3.5 powerpc generates incorrect code at -02.
 	* Irix, MipsPRO 7.4.1m is known to cause problems.
 
 	A limited test suite can be run with "make test".  Many of
 	the tests require you to configure a set of virtual IP addresses
 	on your system, and some require Perl; see bin/tests/system/README
 	for details.
 
 	SunOS 4 requires "printf" to be installed to make the shared
 	libraries.  sh-utils-1.16 provides a "printf" which compiles
 	on SunOS 4.
 
 Known limitations
 
 	Linux requires kernel build 2.6.39 or later to get the
 	performance benefits from using multiple sockets.
 
 Documentation
 
 	The BIND 9 Administrator Reference Manual is included with the
 	source distribution in DocBook XML and HTML format, in the
 	doc/arm directory.
 
 	Some of the programs in the BIND 9 distribution have man pages
 	in their directories.  In particular, the command line
 	options of "named" are documented in /bin/named/named.8.
 	There is now also a set of man pages for the lwres library.
 
 	If you are upgrading from BIND 8, please read the migration
 	notes in doc/misc/migration.  If you are upgrading from
 	BIND 4, read doc/misc/migration-4to9.
 
 	Frequently asked questions and their answers can be found in
 	FAQ.
 
 	Additional information on various subjects can be found
 	in the other README files.
 
 
 Change Log
 
 	A detailed list of all changes to BIND 9 is included in the 
 	file CHANGES, with the most recent changes listed first.
 	Change notes include tags indicating the category of the
 	change that was made; these categories are:
 
 	   [func]	  New feature
 
 	   [bug]	  General bug fix
 
 	   [security]	  Fix for a significant security flaw
 
 	   [experimental] Used for new features when the syntax
 			  or other aspects of the design are still
 			  in flux and may change
 
 	   [port]	  Portability enhancement
 
 	   [maint]	  Updates to built-in data such as root
 			  server addresses and keys
 
 	   [tuning]	  Changes to built-in configuration defaults
 			  and constants to improve performanceo
 
 	   [protocol]	  Updates to the DNS protocol such as new
 			  RR types
 
 	   [test]         Changes to the automatic tests, not
 			  affecting server functionality
 
 	   [cleanup]      Minor corrections and refactoring
 
 	   [doc]	  Documentation
 
 	   [contrib]	  Changes to the contributed tools and
 			  libraries in the 'contrib' subdirectory
 
 	   [placeholder]  Used in the master development branch to
 			  reserve change numbers for use in other
 			  branches, e.g. when fixing a bug that only
 			  exists in older releases
 
 	In general, [func] and [experimental] tags will only appear
 	in new-feature releases (i.e., those with version numbers
 	ending in zero).  Some new functionality may be backported to
 	older releases on a case-by-case basis.  All other change
 	types may be applied to all currently-supported releases.
 
 
 Bug Reports and Mailing Lists
 
 	Bug reports should be sent to:
 
 		bind9-bugs@isc.org
 
 	Feature requests can be sent to:
 
 		bind-suggest@isc.org
 
 	To join or view the archives of the BIND Users mailing list,
 	visit:
 
 		https://lists.isc.org/mailman/listinfo/bind-users
 
 	If you're planning on making changes to the BIND 9 source
 	code, you may also want to join the BIND Workers mailing
 	list:
 
 		https://lists.isc.org/mailman/listinfo/bind-workers
 
 	Information on read-only Git access, coding style and developer
 	guidelines can be found at:
 
 		http://www.isc.org/git/
 
 
Index: stable/9/contrib/bind9/doc/arm/Bv9ARM.ch01.html
===================================================================
--- stable/9/contrib/bind9/doc/arm/Bv9ARM.ch01.html	(revision 286123)
+++ stable/9/contrib/bind9/doc/arm/Bv9ARM.ch01.html	(revision 286124)
@@ -1,561 +1,561 @@
 <!--
  - Copyright (C) 2004-2015 Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000-2003 Internet Software Consortium.
  - 
  - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
  - copyright notice and this permission notice appear in all copies.
  - 
  - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
  - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
  - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
  - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
  - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 <!-- $Id$ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>Chapter 1. Introduction</title>
 <meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
 <link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
 <link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
 <link rel="prev" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
 <link rel="next" href="Bv9ARM.ch02.html" title="Chapter 2. BIND Resource Requirements">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
 <div class="navheader">
 <table width="100%" summary="Navigation header">
 <tr><th colspan="3" align="center">Chapter 1. Introduction</th></tr>
 <tr>
 <td width="20%" align="left">
 <a accesskey="p" href="Bv9ARM.html">Prev</a> </td>
 <th width="60%" align="center"> </th>
 <td width="20%" align="right"> <a accesskey="n" href="Bv9ARM.ch02.html">Next</a>
 </td>
 </tr>
 </table>
 <hr>
 </div>
 <div class="chapter" lang="en">
 <div class="titlepage"><div><div><h2 class="title">
 <a name="Bv9ARM.ch01"></a>Chapter 1. Introduction</h2></div></div></div>
 <div class="toc">
 <p><b>Table of Contents</b></p>
 <dl>
 <dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2563509">Scope of Document</a></span></dt>
 <dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2563533">Organization of This Document</a></span></dt>
 <dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2564629">Conventions Used in This Document</a></span></dt>
 <dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2564810">The Domain Name System (<acronym class="acronym">DNS</acronym>)</a></span></dt>
 <dd><dl>
 <dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2564832">DNS Fundamentals</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2564934">Domains and Domain Names</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2567271">Zones</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2567348">Authoritative Name Servers</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2567589">Caching Name Servers</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2567651">Name Servers in Multiple Roles</a></span></dt>
 </dl></dd>
 </dl>
 </div>
 <p>
       The Internet Domain Name System (<acronym class="acronym">DNS</acronym>)
       consists of the syntax
       to specify the names of entities in the Internet in a hierarchical
       manner, the rules used for delegating authority over names, and the
       system implementation that actually maps names to Internet
       addresses.  <acronym class="acronym">DNS</acronym> data is maintained in a
       group of distributed
       hierarchical databases.
     </p>
 <div class="sect1" lang="en">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
 <a name="id2563509"></a>Scope of Document</h2></div></div></div>
 <p>
         The Berkeley Internet Name Domain
         (<acronym class="acronym">BIND</acronym>) implements a
         domain name server for a number of operating systems. This
         document provides basic information about the installation and
         care of the Internet Systems Consortium (<acronym class="acronym">ISC</acronym>)
         <acronym class="acronym">BIND</acronym> version 9 software package for
         system administrators.
       </p>
 <p>This version of the manual corresponds to BIND version 9.9.</p>
 </div>
 <div class="sect1" lang="en">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
 <a name="id2563533"></a>Organization of This Document</h2></div></div></div>
 <p>
         In this document, <span class="emphasis"><em>Chapter 1</em></span> introduces
         the basic <acronym class="acronym">DNS</acronym> and <acronym class="acronym">BIND</acronym> concepts. <span class="emphasis"><em>Chapter 2</em></span>
         describes resource requirements for running <acronym class="acronym">BIND</acronym> in various
         environments. Information in <span class="emphasis"><em>Chapter 3</em></span> is
         <span class="emphasis"><em>task-oriented</em></span> in its presentation and is
         organized functionally, to aid in the process of installing the
         <acronym class="acronym">BIND</acronym> 9 software. The task-oriented
         section is followed by
         <span class="emphasis"><em>Chapter 4</em></span>, which contains more advanced
         concepts that the system administrator may need for implementing
         certain options. <span class="emphasis"><em>Chapter 5</em></span>
         describes the <acronym class="acronym">BIND</acronym> 9 lightweight
         resolver.  The contents of <span class="emphasis"><em>Chapter 6</em></span> are
         organized as in a reference manual to aid in the ongoing
         maintenance of the software. <span class="emphasis"><em>Chapter 7</em></span> addresses
         security considerations, and
         <span class="emphasis"><em>Chapter 8</em></span> contains troubleshooting help. The
         main body of the document is followed by several
         <span class="emphasis"><em>appendices</em></span> which contain useful reference
         information, such as a <span class="emphasis"><em>bibliography</em></span> and
         historic information related to <acronym class="acronym">BIND</acronym>
         and the Domain Name
         System.
       </p>
 </div>
 <div class="sect1" lang="en">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
 <a name="id2564629"></a>Conventions Used in This Document</h2></div></div></div>
 <p>
         In this document, we use the following general typographic
         conventions:
       </p>
 <div class="informaltable"><table border="1">
 <colgroup>
 <col>
 <col>
 </colgroup>
 <tbody>
 <tr>
 <td>
                 <p>
                   <span class="emphasis"><em>To describe:</em></span>
                 </p>
               </td>
 <td>
                 <p>
                   <span class="emphasis"><em>We use the style:</em></span>
                 </p>
               </td>
 </tr>
 <tr>
 <td>
                 <p>
                   a pathname, filename, URL, hostname,
                   mailing list name, or new term or concept
                 </p>
               </td>
 <td>
                 <p>
                   <code class="filename">Fixed width</code>
                 </p>
               </td>
 </tr>
 <tr>
 <td>
                 <p>
                   literal user
                   input
                 </p>
               </td>
 <td>
                 <p>
                   <strong class="userinput"><code>Fixed Width Bold</code></strong>
                 </p>
               </td>
 </tr>
 <tr>
 <td>
                 <p>
                   program output
                 </p>
               </td>
 <td>
                 <p>
                   <code class="computeroutput">Fixed Width</code>
                 </p>
               </td>
 </tr>
 </tbody>
 </table></div>
 <p>
         The following conventions are used in descriptions of the
         <acronym class="acronym">BIND</acronym> configuration file:</p>
 <div class="informaltable"><table border="1">
 <colgroup>
 <col>
 <col>
 </colgroup>
 <tbody>
 <tr>
 <td>
                   <p>
                     <span class="emphasis"><em>To describe:</em></span>
                   </p>
                 </td>
 <td>
                   <p>
                     <span class="emphasis"><em>We use the style:</em></span>
                   </p>
                 </td>
 </tr>
 <tr>
 <td>
                   <p>
                     keywords
                   </p>
                 </td>
 <td>
                   <p>
                     <code class="literal">Fixed Width</code>
                   </p>
                 </td>
 </tr>
 <tr>
 <td>
                   <p>
                     variables
                   </p>
                 </td>
 <td>
                   <p>
                     <code class="varname">Fixed Width</code>
                   </p>
                 </td>
 </tr>
 <tr>
 <td>
                   <p>
                     Optional input
                   </p>
                 </td>
 <td>
                   <p>
                     [<span class="optional">Text is enclosed in square brackets</span>]
                   </p>
                 </td>
 </tr>
 </tbody>
 </table></div>
 <p>
       </p>
 </div>
 <div class="sect1" lang="en">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
 <a name="id2564810"></a>The Domain Name System (<acronym class="acronym">DNS</acronym>)</h2></div></div></div>
 <p>
         The purpose of this document is to explain the installation
         and upkeep of the <acronym class="acronym">BIND</acronym> (Berkeley Internet
         Name Domain) software package, and we
         begin by reviewing the fundamentals of the Domain Name System
         (<acronym class="acronym">DNS</acronym>) as they relate to <acronym class="acronym">BIND</acronym>.
       </p>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="id2564832"></a>DNS Fundamentals</h3></div></div></div>
 <p>
           The Domain Name System (DNS) is a hierarchical, distributed
           database.  It stores information for mapping Internet host names to
           IP
           addresses and vice versa, mail routing information, and other data
           used by Internet applications.
         </p>
 <p>
           Clients look up information in the DNS by calling a
           <span class="emphasis"><em>resolver</em></span> library, which sends queries to one or
           more <span class="emphasis"><em>name servers</em></span> and interprets the responses.
           The <acronym class="acronym">BIND</acronym> 9 software distribution
           contains a
           name server, <span><strong class="command">named</strong></span>, and a resolver
           library, <span><strong class="command">liblwres</strong></span>.  The older
           <span><strong class="command">libbind</strong></span> resolver library is also available
           from ISC as a separate download.
         </p>
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="id2564934"></a>Domains and Domain Names</h3></div></div></div>
 <p>
           The data stored in the DNS is identified by <span class="emphasis"><em>domain names</em></span> that are organized as a tree according to
           organizational or administrative boundaries. Each node of the tree,
           called a <span class="emphasis"><em>domain</em></span>, is given a label. The domain
           name of the
           node is the concatenation of all the labels on the path from the
           node to the <span class="emphasis"><em>root</em></span> node.  This is represented
           in written form as a string of labels listed from right to left and
           separated by dots. A label need only be unique within its parent
           domain.
         </p>
 <p>
           For example, a domain name for a host at the
           company <span class="emphasis"><em>Example, Inc.</em></span> could be
           <code class="literal">ourhost.example.com</code>,
           where <code class="literal">com</code> is the
           top level domain to which
           <code class="literal">ourhost.example.com</code> belongs,
           <code class="literal">example</code> is
           a subdomain of <code class="literal">com</code>, and
           <code class="literal">ourhost</code> is the
           name of the host.
         </p>
 <p>
           For administrative purposes, the name space is partitioned into
           areas called <span class="emphasis"><em>zones</em></span>, each starting at a node and
           extending down to the leaf nodes or to nodes where other zones
           start.
           The data for each zone is stored in a <span class="emphasis"><em>name server</em></span>, which answers queries about the zone using the
           <span class="emphasis"><em>DNS protocol</em></span>.
         </p>
 <p>
           The data associated with each domain name is stored in the
           form of <span class="emphasis"><em>resource records</em></span> (<acronym class="acronym">RR</acronym>s).
           Some of the supported resource record types are described in
           <a href="Bv9ARM.ch06.html#types_of_resource_records_and_when_to_use_them" title="Types of Resource Records and When to Use Them">the section called &#8220;Types of Resource Records and When to Use Them&#8221;</a>.
         </p>
 <p>
           For more detailed information about the design of the DNS and
           the DNS protocol, please refer to the standards documents listed in
           <a href="Bv9ARM.ch11.html#rfcs" title="Request for Comments (RFCs)">the section called &#8220;Request for Comments (RFCs)&#8221;</a>.
         </p>
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="id2567271"></a>Zones</h3></div></div></div>
 <p>
           To properly operate a name server, it is important to understand
           the difference between a <span class="emphasis"><em>zone</em></span>
           and a <span class="emphasis"><em>domain</em></span>.
         </p>
 <p>
           As stated previously, a zone is a point of delegation in
           the <acronym class="acronym">DNS</acronym> tree. A zone consists of
           those contiguous parts of the domain
           tree for which a name server has complete information and over which
           it has authority. It contains all domain names from a certain point
           downward in the domain tree except those which are delegated to
           other zones. A delegation point is marked by one or more
           <span class="emphasis"><em>NS records</em></span> in the
           parent zone, which should be matched by equivalent NS records at
           the root of the delegated zone.
         </p>
 <p>
           For instance, consider the <code class="literal">example.com</code>
           domain which includes names
           such as <code class="literal">host.aaa.example.com</code> and
           <code class="literal">host.bbb.example.com</code> even though
           the <code class="literal">example.com</code> zone includes
           only delegations for the <code class="literal">aaa.example.com</code> and
           <code class="literal">bbb.example.com</code> zones.  A zone can
           map
           exactly to a single domain, but could also include only part of a
           domain, the rest of which could be delegated to other
           name servers. Every name in the <acronym class="acronym">DNS</acronym>
           tree is a
           <span class="emphasis"><em>domain</em></span>, even if it is
           <span class="emphasis"><em>terminal</em></span>, that is, has no
           <span class="emphasis"><em>subdomains</em></span>.  Every subdomain is a domain and
           every domain except the root is also a subdomain. The terminology is
           not intuitive and we suggest that you read RFCs 1033, 1034 and 1035
           to
           gain a complete understanding of this difficult and subtle
           topic.
         </p>
 <p>
           Though <acronym class="acronym">BIND</acronym> is called a "domain name
           server",
           it deals primarily in terms of zones. The master and slave
           declarations in the <code class="filename">named.conf</code> file
           specify
           zones, not domains. When you ask some other site if it is willing to
           be a slave server for your <span class="emphasis"><em>domain</em></span>, you are
           actually asking for slave service for some collection of zones.
         </p>
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="id2567348"></a>Authoritative Name Servers</h3></div></div></div>
 <p>
           Each zone is served by at least
           one <span class="emphasis"><em>authoritative name server</em></span>,
           which contains the complete data for the zone.
           To make the DNS tolerant of server and network failures,
           most zones have two or more authoritative servers, on
           different networks.
         </p>
 <p>
           Responses from authoritative servers have the "authoritative
           answer" (AA) bit set in the response packets.  This makes them
           easy to identify when debugging DNS configurations using tools like
           <span><strong class="command">dig</strong></span> (<a href="Bv9ARM.ch03.html#diagnostic_tools" title="Diagnostic Tools">the section called &#8220;Diagnostic Tools&#8221;</a>).
         </p>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="id2567371"></a>The Primary Master</h4></div></div></div>
 <p>
             The authoritative server where the master copy of the zone
             data is maintained is called the
             <span class="emphasis"><em>primary master</em></span> server, or simply the
             <span class="emphasis"><em>primary</em></span>.  Typically it loads the zone
             contents from some local file edited by humans or perhaps
             generated mechanically from some other local file which is
             edited by humans.  This file is called the
             <span class="emphasis"><em>zone file</em></span> or
             <span class="emphasis"><em>master file</em></span>.
           </p>
 <p>
             In some cases, however, the master file may not be edited
             by humans at all, but may instead be the result of
             <span class="emphasis"><em>dynamic update</em></span> operations.
           </p>
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="id2567401"></a>Slave Servers</h4></div></div></div>
 <p>
             The other authoritative servers, the <span class="emphasis"><em>slave</em></span>
             servers (also known as <span class="emphasis"><em>secondary</em></span> servers)
             load
             the zone contents from another server using a replication process
             known as a <span class="emphasis"><em>zone transfer</em></span>.  Typically the data
             are
             transferred directly from the primary master, but it is also
             possible
             to transfer it from another slave.  In other words, a slave server
             may itself act as a master to a subordinate slave server.
           </p>
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="id2567422"></a>Stealth Servers</h4></div></div></div>
 <p>
             Usually all of the zone's authoritative servers are listed in
             NS records in the parent zone.  These NS records constitute
             a <span class="emphasis"><em>delegation</em></span> of the zone from the parent.
             The authoritative servers are also listed in the zone file itself,
             at the <span class="emphasis"><em>top level</em></span> or <span class="emphasis"><em>apex</em></span>
             of the zone.  You can list servers in the zone's top-level NS
             records that are not in the parent's NS delegation, but you cannot
             list servers in the parent's delegation that are not present at
             the zone's top level.
           </p>
 <p>
             A <span class="emphasis"><em>stealth server</em></span> is a server that is
             authoritative for a zone but is not listed in that zone's NS
             records.  Stealth servers can be used for keeping a local copy of
             a
             zone to speed up access to the zone's records or to make sure that
             the
             zone is available even if all the "official" servers for the zone
             are
             inaccessible.
           </p>
 <p>
             A configuration where the primary master server itself is a
             stealth server is often referred to as a "hidden primary"
             configuration.  One use for this configuration is when the primary
             master
             is behind a firewall and therefore unable to communicate directly
             with the outside world.
           </p>
 </div>
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="id2567589"></a>Caching Name Servers</h3></div></div></div>
 <p>
           The resolver libraries provided by most operating systems are
           <span class="emphasis"><em>stub resolvers</em></span>, meaning that they are not
           capable of
           performing the full DNS resolution process by themselves by talking
           directly to the authoritative servers.  Instead, they rely on a
           local
           name server to perform the resolution on their behalf.  Such a
           server
           is called a <span class="emphasis"><em>recursive</em></span> name server; it performs
           <span class="emphasis"><em>recursive lookups</em></span> for local clients.
         </p>
 <p>
           To improve performance, recursive servers cache the results of
           the lookups they perform.  Since the processes of recursion and
           caching are intimately connected, the terms
           <span class="emphasis"><em>recursive server</em></span> and
           <span class="emphasis"><em>caching server</em></span> are often used synonymously.
         </p>
 <p>
           The length of time for which a record may be retained in
           the cache of a caching name server is controlled by the
           Time To Live (TTL) field associated with each resource record.
         </p>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="id2567624"></a>Forwarding</h4></div></div></div>
 <p>
             Even a caching name server does not necessarily perform
             the complete recursive lookup itself.  Instead, it can
             <span class="emphasis"><em>forward</em></span> some or all of the queries
             that it cannot satisfy from its cache to another caching name
             server,
             commonly referred to as a <span class="emphasis"><em>forwarder</em></span>.
           </p>
 <p>
             There may be one or more forwarders,
             and they are queried in turn until the list is exhausted or an
             answer
             is found. Forwarders are typically used when you do not
             wish all the servers at a given site to interact directly with the
             rest of
             the Internet servers. A typical scenario would involve a number
             of internal <acronym class="acronym">DNS</acronym> servers and an
             Internet firewall. Servers unable
             to pass packets through the firewall would forward to the server
             that can do it, and that server would query the Internet <acronym class="acronym">DNS</acronym> servers
             on the internal server's behalf.
           </p>
 </div>
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="id2567651"></a>Name Servers in Multiple Roles</h3></div></div></div>
 <p>
           The <acronym class="acronym">BIND</acronym> name server can
           simultaneously act as
           a master for some zones, a slave for other zones, and as a caching
           (recursive) server for a set of local clients.
         </p>
 <p>
           However, since the functions of authoritative name service
           and caching/recursive name service are logically separate, it is
           often advantageous to run them on separate server machines.
 
           A server that only provides authoritative name service
           (an <span class="emphasis"><em>authoritative-only</em></span> server) can run with
           recursion disabled, improving reliability and security.
 
           A server that is not authoritative for any zones and only provides
           recursive service to local
           clients (a <span class="emphasis"><em>caching-only</em></span> server)
           does not need to be reachable from the Internet at large and can
           be placed inside a firewall.
         </p>
 </div>
 </div>
 </div>
 <div class="navfooter">
 <hr>
 <table width="100%" summary="Navigation footer">
 <tr>
 <td width="40%" align="left">
 <a accesskey="p" href="Bv9ARM.html">Prev</a> </td>
 <td width="20%" align="center"> </td>
 <td width="40%" align="right"> <a accesskey="n" href="Bv9ARM.ch02.html">Next</a>
 </td>
 </tr>
 <tr>
 <td width="40%" align="left" valign="top">BIND 9 Administrator Reference Manual </td>
 <td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
 <td width="40%" align="right" valign="top"> Chapter 2. <acronym class="acronym">BIND</acronym> Resource Requirements</td>
 </tr>
 </table>
 </div>
-<p style="text-align: center;">BIND 9.9.7 (Extended Support Version)</p>
+<p style="text-align: center;">BIND 9.9.7-P2 (Extended Support Version)</p>
 </body>
 </html>
Index: stable/9/contrib/bind9/doc/arm/Bv9ARM.ch02.html
===================================================================
--- stable/9/contrib/bind9/doc/arm/Bv9ARM.ch02.html	(revision 286123)
+++ stable/9/contrib/bind9/doc/arm/Bv9ARM.ch02.html	(revision 286124)
@@ -1,159 +1,159 @@
 <!--
  - Copyright (C) 2004-2015 Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000-2003 Internet Software Consortium.
  - 
  - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
  - copyright notice and this permission notice appear in all copies.
  - 
  - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
  - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
  - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
  - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
  - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 <!-- $Id$ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>Chapter 2. BIND Resource Requirements</title>
 <meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
 <link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
 <link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
 <link rel="prev" href="Bv9ARM.ch01.html" title="Chapter 1. Introduction">
 <link rel="next" href="Bv9ARM.ch03.html" title="Chapter 3. Name Server Configuration">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
 <div class="navheader">
 <table width="100%" summary="Navigation header">
 <tr><th colspan="3" align="center">Chapter 2. <acronym class="acronym">BIND</acronym> Resource Requirements</th></tr>
 <tr>
 <td width="20%" align="left">
 <a accesskey="p" href="Bv9ARM.ch01.html">Prev</a> </td>
 <th width="60%" align="center"> </th>
 <td width="20%" align="right"> <a accesskey="n" href="Bv9ARM.ch03.html">Next</a>
 </td>
 </tr>
 </table>
 <hr>
 </div>
 <div class="chapter" lang="en">
 <div class="titlepage"><div><div><h2 class="title">
 <a name="Bv9ARM.ch02"></a>Chapter 2. <acronym class="acronym">BIND</acronym> Resource Requirements</h2></div></div></div>
 <div class="toc">
 <p><b>Table of Contents</b></p>
 <dl>
 <dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567685">Hardware requirements</a></span></dt>
 <dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567712">CPU Requirements</a></span></dt>
 <dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567793">Memory Requirements</a></span></dt>
 <dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567819">Name Server Intensive Environment Issues</a></span></dt>
 <dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567830">Supported Operating Systems</a></span></dt>
 </dl>
 </div>
 <div class="sect1" lang="en">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
 <a name="id2567685"></a>Hardware requirements</h2></div></div></div>
 <p>
         <acronym class="acronym">DNS</acronym> hardware requirements have
         traditionally been quite modest.
         For many installations, servers that have been pensioned off from
         active duty have performed admirably as <acronym class="acronym">DNS</acronym> servers.
       </p>
 <p>
         The DNSSEC features of <acronym class="acronym">BIND</acronym> 9
         may prove to be quite
         CPU intensive however, so organizations that make heavy use of these
         features may wish to consider larger systems for these applications.
         <acronym class="acronym">BIND</acronym> 9 is fully multithreaded, allowing
         full utilization of
         multiprocessor systems for installations that need it.
       </p>
 </div>
 <div class="sect1" lang="en">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
 <a name="id2567712"></a>CPU Requirements</h2></div></div></div>
 <p>
         CPU requirements for <acronym class="acronym">BIND</acronym> 9 range from
         i486-class machines
         for serving of static zones without caching, to enterprise-class
         machines if you intend to process many dynamic updates and DNSSEC
         signed zones, serving many thousands of queries per second.
       </p>
 </div>
 <div class="sect1" lang="en">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
 <a name="id2567793"></a>Memory Requirements</h2></div></div></div>
 <p>
         The memory of the server has to be large enough to fit the
         cache and zones loaded off disk.  The <span><strong class="command">max-cache-size</strong></span>
         option can be used to limit the amount of memory used by the cache,
         at the expense of reducing cache hit rates and causing more <acronym class="acronym">DNS</acronym>
         traffic.
         Additionally, if additional section caching
         (<a href="Bv9ARM.ch06.html#acache" title="Additional Section Caching">the section called &#8220;Additional Section Caching&#8221;</a>) is enabled,
         the <span><strong class="command">max-acache-size</strong></span> option can be used to
         limit the amount
         of memory used by the mechanism.
         It is still good practice to have enough memory to load
         all zone and cache data into memory &#8212; unfortunately, the best
         way
         to determine this for a given installation is to watch the name server
         in operation. After a few weeks the server process should reach
         a relatively stable size where entries are expiring from the cache as
         fast as they are being inserted.
       </p>
 </div>
 <div class="sect1" lang="en">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
 <a name="id2567819"></a>Name Server Intensive Environment Issues</h2></div></div></div>
 <p>
         For name server intensive environments, there are two alternative
         configurations that may be used. The first is where clients and
         any second-level internal name servers query a main name server, which
         has enough memory to build a large cache. This approach minimizes
         the bandwidth used by external name lookups. The second alternative
         is to set up second-level internal name servers to make queries
         independently.
         In this configuration, none of the individual machines needs to
         have as much memory or CPU power as in the first alternative, but
         this has the disadvantage of making many more external queries,
         as none of the name servers share their cached data.
       </p>
 </div>
 <div class="sect1" lang="en">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
 <a name="id2567830"></a>Supported Operating Systems</h2></div></div></div>
 <p>
         ISC <acronym class="acronym">BIND</acronym> 9 compiles and runs on a large
         number
         of Unix-like operating systems and on 
         Microsoft Windows Server 2003 and 2008, and Windows XP and Vista.
         For an up-to-date
         list of supported systems, see the README file in the top level
         directory
         of the BIND 9 source distribution.
       </p>
 </div>
 </div>
 <div class="navfooter">
 <hr>
 <table width="100%" summary="Navigation footer">
 <tr>
 <td width="40%" align="left">
 <a accesskey="p" href="Bv9ARM.ch01.html">Prev</a> </td>
 <td width="20%" align="center"> </td>
 <td width="40%" align="right"> <a accesskey="n" href="Bv9ARM.ch03.html">Next</a>
 </td>
 </tr>
 <tr>
 <td width="40%" align="left" valign="top">Chapter 1. Introduction </td>
 <td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
 <td width="40%" align="right" valign="top"> Chapter 3. Name Server Configuration</td>
 </tr>
 </table>
 </div>
-<p style="text-align: center;">BIND 9.9.7 (Extended Support Version)</p>
+<p style="text-align: center;">BIND 9.9.7-P2 (Extended Support Version)</p>
 </body>
 </html>
Index: stable/9/contrib/bind9/doc/arm/Bv9ARM.ch03.html
===================================================================
--- stable/9/contrib/bind9/doc/arm/Bv9ARM.ch03.html	(revision 286123)
+++ stable/9/contrib/bind9/doc/arm/Bv9ARM.ch03.html	(revision 286124)
@@ -1,670 +1,670 @@
 <!--
  - Copyright (C) 2004-2015 Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000-2003 Internet Software Consortium.
  - 
  - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
  - copyright notice and this permission notice appear in all copies.
  - 
  - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
  - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
  - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
  - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
  - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 <!-- $Id$ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>Chapter 3. Name Server Configuration</title>
 <meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
 <link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
 <link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
 <link rel="prev" href="Bv9ARM.ch02.html" title="Chapter 2. BIND Resource Requirements">
 <link rel="next" href="Bv9ARM.ch04.html" title="Chapter 4. Advanced DNS Features">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
 <div class="navheader">
 <table width="100%" summary="Navigation header">
 <tr><th colspan="3" align="center">Chapter 3. Name Server Configuration</th></tr>
 <tr>
 <td width="20%" align="left">
 <a accesskey="p" href="Bv9ARM.ch02.html">Prev</a> </td>
 <th width="60%" align="center"> </th>
 <td width="20%" align="right"> <a accesskey="n" href="Bv9ARM.ch04.html">Next</a>
 </td>
 </tr>
 </table>
 <hr>
 </div>
 <div class="chapter" lang="en">
 <div class="titlepage"><div><div><h2 class="title">
 <a name="Bv9ARM.ch03"></a>Chapter 3. Name Server Configuration</h2></div></div></div>
 <div class="toc">
 <p><b>Table of Contents</b></p>
 <dl>
 <dt><span class="sect1"><a href="Bv9ARM.ch03.html#sample_configuration">Sample Configurations</a></span></dt>
 <dd><dl>
 <dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2567998">A Caching-only Name Server</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2568014">An Authoritative-only Name Server</a></span></dt>
 </dl></dd>
 <dt><span class="sect1"><a href="Bv9ARM.ch03.html#id2568037">Load Balancing</a></span></dt>
 <dt><span class="sect1"><a href="Bv9ARM.ch03.html#id2568391">Name Server Operations</a></span></dt>
 <dd><dl>
 <dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2568396">Tools for Use With the Name Server Daemon</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2569449">Signals</a></span></dt>
 </dl></dd>
 </dl>
 </div>
 <p>
       In this chapter we provide some suggested configurations along
       with guidelines for their use.  We suggest reasonable values for
       certain option settings.
     </p>
 <div class="sect1" lang="en">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
 <a name="sample_configuration"></a>Sample Configurations</h2></div></div></div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="id2567998"></a>A Caching-only Name Server</h3></div></div></div>
 <p>
           The following sample configuration is appropriate for a caching-only
           name server for use by clients internal to a corporation.  All
           queries
           from outside clients are refused using the <span><strong class="command">allow-query</strong></span>
           option.  Alternatively, the same effect could be achieved using
           suitable
           firewall rules.
         </p>
 <pre class="programlisting">
 // Two corporate subnets we wish to allow queries from.
 acl corpnets { 192.168.4.0/24; 192.168.7.0/24; };
 options {
      // Working directory
      directory "/etc/namedb";
 
      allow-query { corpnets; };
 };
 // Provide a reverse mapping for the loopback
 // address 127.0.0.1
 zone "0.0.127.in-addr.arpa" {
      type master;
      file "localhost.rev";
      notify no;
 };
 </pre>
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="id2568014"></a>An Authoritative-only Name Server</h3></div></div></div>
 <p>
           This sample configuration is for an authoritative-only server
           that is the master server for "<code class="filename">example.com</code>"
           and a slave for the subdomain "<code class="filename">eng.example.com</code>".
         </p>
 <pre class="programlisting">
 options {
      // Working directory
      directory "/etc/namedb";
      // Do not allow access to cache
      allow-query-cache { none; };
      // This is the default
      allow-query { any; };
      // Do not provide recursive service
      recursion no;
 };
 
 // Provide a reverse mapping for the loopback
 // address 127.0.0.1
 zone "0.0.127.in-addr.arpa" {
      type master;
      file "localhost.rev";
      notify no;
 };
 // We are the master server for example.com
 zone "example.com" {
      type master;
      file "example.com.db";
      // IP addresses of slave servers allowed to
      // transfer example.com
      allow-transfer {
           192.168.4.14;
           192.168.5.53;
      };
 };
 // We are a slave server for eng.example.com
 zone "eng.example.com" {
      type slave;
      file "eng.example.com.bk";
      // IP address of eng.example.com master server
      masters { 192.168.4.12; };
 };
 </pre>
 </div>
 </div>
 <div class="sect1" lang="en">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
 <a name="id2568037"></a>Load Balancing</h2></div></div></div>
 <p>
         A primitive form of load balancing can be achieved in
         the <acronym class="acronym">DNS</acronym> by using multiple records
         (such as multiple A records) for one name.
       </p>
 <p>
         For example, if you have three WWW servers with network addresses
         of 10.0.0.1, 10.0.0.2 and 10.0.0.3, a set of records such as the
         following means that clients will connect to each machine one third
         of the time:
       </p>
 <div class="informaltable"><table border="1">
 <colgroup>
 <col>
 <col>
 <col>
 <col>
 <col>
 </colgroup>
 <tbody>
 <tr>
 <td>
                 <p>
                   Name
                 </p>
               </td>
 <td>
                 <p>
                   TTL
                 </p>
               </td>
 <td>
                 <p>
                   CLASS
                 </p>
               </td>
 <td>
                 <p>
                   TYPE
                 </p>
               </td>
 <td>
                 <p>
                   Resource Record (RR) Data
                 </p>
               </td>
 </tr>
 <tr>
 <td>
                 <p>
                   <code class="literal">www</code>
                 </p>
               </td>
 <td>
                 <p>
                   <code class="literal">600</code>
                 </p>
               </td>
 <td>
                 <p>
                   <code class="literal">IN</code>
                 </p>
               </td>
 <td>
                 <p>
                   <code class="literal">A</code>
                 </p>
               </td>
 <td>
                 <p>
                   <code class="literal">10.0.0.1</code>
                 </p>
               </td>
 </tr>
 <tr>
 <td>
                 <p></p>
               </td>
 <td>
                 <p>
                   <code class="literal">600</code>
                 </p>
               </td>
 <td>
                 <p>
                   <code class="literal">IN</code>
                 </p>
               </td>
 <td>
                 <p>
                   <code class="literal">A</code>
                 </p>
               </td>
 <td>
                 <p>
                   <code class="literal">10.0.0.2</code>
                 </p>
               </td>
 </tr>
 <tr>
 <td>
                 <p></p>
               </td>
 <td>
                 <p>
                   <code class="literal">600</code>
                 </p>
               </td>
 <td>
                 <p>
                   <code class="literal">IN</code>
                 </p>
               </td>
 <td>
                 <p>
                   <code class="literal">A</code>
                 </p>
               </td>
 <td>
                 <p>
                   <code class="literal">10.0.0.3</code>
                 </p>
               </td>
 </tr>
 </tbody>
 </table></div>
 <p>
         When a resolver queries for these records, <acronym class="acronym">BIND</acronym> will rotate
         them and respond to the query with the records in a different
         order.  In the example above, clients will randomly receive
         records in the order 1, 2, 3; 2, 3, 1; and 3, 1, 2. Most clients
         will use the first record returned and discard the rest.
       </p>
 <p>
         For more detail on ordering responses, check the
         <span><strong class="command">rrset-order</strong></span> sub-statement in the
         <span><strong class="command">options</strong></span> statement, see
         <a href="Bv9ARM.ch06.html#rrset_ordering">RRset Ordering</a>.
       </p>
 </div>
 <div class="sect1" lang="en">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
 <a name="id2568391"></a>Name Server Operations</h2></div></div></div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="id2568396"></a>Tools for Use With the Name Server Daemon</h3></div></div></div>
 <p>
           This section describes several indispensable diagnostic,
           administrative and monitoring tools available to the system
           administrator for controlling and debugging the name server
           daemon.
         </p>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="diagnostic_tools"></a>Diagnostic Tools</h4></div></div></div>
 <p>
             The <span><strong class="command">dig</strong></span>, <span><strong class="command">host</strong></span>, and
             <span><strong class="command">nslookup</strong></span> programs are all command
             line tools
             for manually querying name servers.  They differ in style and
             output format.
           </p>
 <div class="variablelist"><dl>
 <dt><span class="term"><a name="dig"></a><span><strong class="command">dig</strong></span></span></dt>
 <dd>
 <p>
                   The domain information groper (<span><strong class="command">dig</strong></span>)
                   is the most versatile and complete of these lookup tools.
                   It has two modes: simple interactive
                   mode for a single query, and batch mode which executes a
                   query for
                   each in a list of several query lines. All query options are
                   accessible
                   from the command line.
                 </p>
 <div class="cmdsynopsis"><p><code class="command">dig</code>  [@<em class="replaceable"><code>server</code></em>]  <em class="replaceable"><code>domain</code></em>  [<em class="replaceable"><code>query-type</code></em>] [<em class="replaceable"><code>query-class</code></em>] [+<em class="replaceable"><code>query-option</code></em>] [-<em class="replaceable"><code>dig-option</code></em>] [%<em class="replaceable"><code>comment</code></em>]</p></div>
 <p>
                   The usual simple use of <span><strong class="command">dig</strong></span> will take the form
                 </p>
 <p>
                   <span><strong class="command">dig @server domain query-type query-class</strong></span>
                 </p>
 <p>
                   For more information and a list of available commands and
                   options, see the <span><strong class="command">dig</strong></span> man
                   page.
                 </p>
 </dd>
 <dt><span class="term"><span><strong class="command">host</strong></span></span></dt>
 <dd>
 <p>
                   The <span><strong class="command">host</strong></span> utility emphasizes
                   simplicity
                   and ease of use.  By default, it converts
                   between host names and Internet addresses, but its
                   functionality
                   can be extended with the use of options.
                 </p>
 <div class="cmdsynopsis"><p><code class="command">host</code>  [-aCdlnrsTwv] [-c <em class="replaceable"><code>class</code></em>] [-N <em class="replaceable"><code>ndots</code></em>] [-t <em class="replaceable"><code>type</code></em>] [-W <em class="replaceable"><code>timeout</code></em>] [-R <em class="replaceable"><code>retries</code></em>] [-m <em class="replaceable"><code>flag</code></em>] [-4] [-6]  <em class="replaceable"><code>hostname</code></em>  [<em class="replaceable"><code>server</code></em>]</p></div>
 <p>
                   For more information and a list of available commands and
                   options, see the <span><strong class="command">host</strong></span> man
                   page.
                 </p>
 </dd>
 <dt><span class="term"><span><strong class="command">nslookup</strong></span></span></dt>
 <dd>
 <p><span><strong class="command">nslookup</strong></span>
                   has two modes: interactive and
                   non-interactive. Interactive mode allows the user to
                   query name servers for information about various
                   hosts and domains or to print a list of hosts in a
                   domain. Non-interactive mode is used to print just
                   the name and requested information for a host or
                   domain.
                 </p>
 <div class="cmdsynopsis"><p><code class="command">nslookup</code>  [-option...] [[<em class="replaceable"><code>host-to-find</code></em>] |  [- [server]]]</p></div>
 <p>
                   Interactive mode is entered when no arguments are given (the
                   default name server will be used) or when the first argument
                   is a
                   hyphen (`-') and the second argument is the host name or
                   Internet address
                   of a name server.
                 </p>
 <p>
                   Non-interactive mode is used when the name or Internet
                   address
                   of the host to be looked up is given as the first argument.
                   The
                   optional second argument specifies the host name or address
                   of a name server.
                 </p>
 <p>
                   Due to its arcane user interface and frequently inconsistent
                   behavior, we do not recommend the use of <span><strong class="command">nslookup</strong></span>.
                   Use <span><strong class="command">dig</strong></span> instead.
                 </p>
 </dd>
 </dl></div>
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="admin_tools"></a>Administrative Tools</h4></div></div></div>
 <p>
             Administrative tools play an integral part in the management
             of a server.
           </p>
 <div class="variablelist"><dl>
 <dt>
 <a name="named-checkconf"></a><span class="term"><span><strong class="command">named-checkconf</strong></span></span>
 </dt>
 <dd>
 <p>
                   The <span><strong class="command">named-checkconf</strong></span> program
                   checks the syntax of a <code class="filename">named.conf</code> file.
                 </p>
 <div class="cmdsynopsis"><p><code class="command">named-checkconf</code>  [-jvz] [-t <em class="replaceable"><code>directory</code></em>] [<em class="replaceable"><code>filename</code></em>]</p></div>
 </dd>
 <dt>
 <a name="named-checkzone"></a><span class="term"><span><strong class="command">named-checkzone</strong></span></span>
 </dt>
 <dd>
 <p>
                   The <span><strong class="command">named-checkzone</strong></span> program
                   checks a master file for
                   syntax and consistency.
                 </p>
 <div class="cmdsynopsis"><p><code class="command">named-checkzone</code>  [-djqvD] [-c <em class="replaceable"><code>class</code></em>] [-o <em class="replaceable"><code>output</code></em>] [-t <em class="replaceable"><code>directory</code></em>] [-w <em class="replaceable"><code>directory</code></em>] [-k <em class="replaceable"><code>(ignore|warn|fail)</code></em>] [-n <em class="replaceable"><code>(ignore|warn|fail)</code></em>] [-W <em class="replaceable"><code>(ignore|warn)</code></em>]  <em class="replaceable"><code>zone</code></em>  [<em class="replaceable"><code>filename</code></em>]</p></div>
 </dd>
 <dt>
 <a name="named-compilezone"></a><span class="term"><span><strong class="command">named-compilezone</strong></span></span>
 </dt>
 <dd><p>
                   Similar to <span><strong class="command">named-checkzone,</strong></span> but
                   it always dumps the zone content to a specified file
                   (typically in a different format).
                 </p></dd>
 <dt>
 <a name="rndc"></a><span class="term"><span><strong class="command">rndc</strong></span></span>
 </dt>
 <dd>
 <p>
                   The remote name daemon control
                   (<span><strong class="command">rndc</strong></span>) program allows the
                   system
                   administrator to control the operation of a name server.
                   Since <acronym class="acronym">BIND</acronym> 9.2, <span><strong class="command">rndc</strong></span>
                   supports all the commands of the BIND 8 <span><strong class="command">ndc</strong></span>
                   utility except <span><strong class="command">ndc start</strong></span> and
                   <span><strong class="command">ndc restart</strong></span>, which were also
                   not supported in <span><strong class="command">ndc</strong></span>'s
                   channel mode.
                   If you run <span><strong class="command">rndc</strong></span> without any
                   options
                   it will display a usage message as follows:
                 </p>
 <div class="cmdsynopsis"><p><code class="command">rndc</code>  [-c <em class="replaceable"><code>config</code></em>] [-s <em class="replaceable"><code>server</code></em>] [-p <em class="replaceable"><code>port</code></em>] [-y <em class="replaceable"><code>key</code></em>]  <em class="replaceable"><code>command</code></em>  [<em class="replaceable"><code>command</code></em>...]</p></div>
 <p>See <a href="man.rndc.html" title="rndc"><span class="refentrytitle"><span class="application">rndc</span></span>(8)</a> for details of
                   the available <span><strong class="command">rndc</strong></span> commands.
                 </p>
 <p>
                   <span><strong class="command">rndc</strong></span> requires a configuration file,
                   since all
                   communication with the server is authenticated with
                   digital signatures that rely on a shared secret, and
                   there is no way to provide that secret other than with a
                   configuration file.  The default location for the
                   <span><strong class="command">rndc</strong></span> configuration file is
                   <code class="filename">/etc/rndc.conf</code>, but an
                   alternate
                   location can be specified with the <code class="option">-c</code>
                   option.  If the configuration file is not found,
                   <span><strong class="command">rndc</strong></span> will also look in
                   <code class="filename">/etc/rndc.key</code> (or whatever
                   <code class="varname">sysconfdir</code> was defined when
                   the <acronym class="acronym">BIND</acronym> build was
                   configured).
                   The <code class="filename">rndc.key</code> file is
                   generated by
                   running <span><strong class="command">rndc-confgen -a</strong></span> as
                   described in
                   <a href="Bv9ARM.ch06.html#controls_statement_definition_and_usage" title="controls Statement Definition and
           Usage">the section called &#8220;<span><strong class="command">controls</strong></span> Statement Definition and
           Usage&#8221;</a>.
                 </p>
 <p>
                   The format of the configuration file is similar to
                   that of <code class="filename">named.conf</code>, but
                   limited to
                   only four statements, the <span><strong class="command">options</strong></span>,
                   <span><strong class="command">key</strong></span>, <span><strong class="command">server</strong></span> and
                   <span><strong class="command">include</strong></span>
                   statements.  These statements are what associate the
                   secret keys to the servers with which they are meant to
                   be shared.  The order of statements is not
                   significant.
                 </p>
 <p>
                   The <span><strong class="command">options</strong></span> statement has
                   three clauses:
                   <span><strong class="command">default-server</strong></span>, <span><strong class="command">default-key</strong></span>,
                   and <span><strong class="command">default-port</strong></span>.
                   <span><strong class="command">default-server</strong></span> takes a
                   host name or address argument  and represents the server
                   that will
                   be contacted if no <code class="option">-s</code>
                   option is provided on the command line.
                   <span><strong class="command">default-key</strong></span> takes
                   the name of a key as its argument, as defined by a <span><strong class="command">key</strong></span> statement.
                   <span><strong class="command">default-port</strong></span> specifies the
                   port to which
                   <span><strong class="command">rndc</strong></span> should connect if no
                   port is given on the command line or in a
                   <span><strong class="command">server</strong></span> statement.
                 </p>
 <p>
                   The <span><strong class="command">key</strong></span> statement defines a
                   key to be used
                   by <span><strong class="command">rndc</strong></span> when authenticating
                   with
                   <span><strong class="command">named</strong></span>.  Its syntax is
                   identical to the
                   <span><strong class="command">key</strong></span> statement in <code class="filename">named.conf</code>.
                   The keyword <strong class="userinput"><code>key</code></strong> is
                   followed by a key name, which must be a valid
                   domain name, though it need not actually be hierarchical;
                   thus,
                   a string like "<strong class="userinput"><code>rndc_key</code></strong>" is a valid
                   name.
                   The <span><strong class="command">key</strong></span> statement has two
                   clauses:
                   <span><strong class="command">algorithm</strong></span> and <span><strong class="command">secret</strong></span>.
                   While the configuration parser will accept any string as the
                   argument
                   to algorithm, currently only the string "<strong class="userinput"><code>hmac-md5</code></strong>"
                   has any meaning.  The secret is a base-64 encoded string
                   as specified in RFC 3548.
                 </p>
 <p>
                   The <span><strong class="command">server</strong></span> statement
                   associates a key
                   defined using the <span><strong class="command">key</strong></span>
                   statement with a server.
                   The keyword <strong class="userinput"><code>server</code></strong> is followed by a
                   host name or address.  The <span><strong class="command">server</strong></span> statement
                   has two clauses: <span><strong class="command">key</strong></span> and <span><strong class="command">port</strong></span>.
                   The <span><strong class="command">key</strong></span> clause specifies the
                   name of the key
                   to be used when communicating with this server, and the
                   <span><strong class="command">port</strong></span> clause can be used to
                   specify the port <span><strong class="command">rndc</strong></span> should
                   connect
                   to on the server.
                 </p>
 <p>
                   A sample minimal configuration file is as follows:
                 </p>
 <pre class="programlisting">
 key rndc_key {
      algorithm "hmac-md5";
      secret
        "c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K";
 };
 options {
      default-server 127.0.0.1;
      default-key    rndc_key;
 };
 </pre>
 <p>
                   This file, if installed as <code class="filename">/etc/rndc.conf</code>,
                   would allow the command:
                 </p>
 <p>
                   <code class="prompt">$ </code><strong class="userinput"><code>rndc reload</code></strong>
                 </p>
 <p>
                   to connect to 127.0.0.1 port 953 and cause the name server
                   to reload, if a name server on the local machine were
                   running with
                   following controls statements:
                 </p>
 <pre class="programlisting">
 controls {
         inet 127.0.0.1
             allow { localhost; } keys { rndc_key; };
 };
 </pre>
 <p>
                   and it had an identical key statement for
                   <code class="literal">rndc_key</code>.
                 </p>
 <p>
                   Running the <span><strong class="command">rndc-confgen</strong></span>
                   program will
                   conveniently create a <code class="filename">rndc.conf</code>
                   file for you, and also display the
                   corresponding <span><strong class="command">controls</strong></span>
                   statement that you need to
                   add to <code class="filename">named.conf</code>.
                   Alternatively,
                   you can run <span><strong class="command">rndc-confgen -a</strong></span>
                   to set up
                   a <code class="filename">rndc.key</code> file and not
                   modify
                   <code class="filename">named.conf</code> at all.
                 </p>
 </dd>
 </dl></div>
 </div>
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="id2569449"></a>Signals</h3></div></div></div>
 <p>
           Certain UNIX signals cause the name server to take specific
           actions, as described in the following table.  These signals can
           be sent using the <span><strong class="command">kill</strong></span> command.
         </p>
 <div class="informaltable"><table border="1">
 <colgroup>
 <col>
 <col>
 </colgroup>
 <tbody>
 <tr>
 <td>
                   <p><span><strong class="command">SIGHUP</strong></span></p>
                 </td>
 <td>
                   <p>
                     Causes the server to read <code class="filename">named.conf</code> and
                     reload the database.
                   </p>
                 </td>
 </tr>
 <tr>
 <td>
                   <p><span><strong class="command">SIGTERM</strong></span></p>
                 </td>
 <td>
                   <p>
                     Causes the server to clean up and exit.
                   </p>
                 </td>
 </tr>
 <tr>
 <td>
                   <p><span><strong class="command">SIGINT</strong></span></p>
                 </td>
 <td>
                   <p>
                     Causes the server to clean up and exit.
                   </p>
                 </td>
 </tr>
 </tbody>
 </table></div>
 </div>
 </div>
 </div>
 <div class="navfooter">
 <hr>
 <table width="100%" summary="Navigation footer">
 <tr>
 <td width="40%" align="left">
 <a accesskey="p" href="Bv9ARM.ch02.html">Prev</a> </td>
 <td width="20%" align="center"> </td>
 <td width="40%" align="right"> <a accesskey="n" href="Bv9ARM.ch04.html">Next</a>
 </td>
 </tr>
 <tr>
 <td width="40%" align="left" valign="top">Chapter 2. <acronym class="acronym">BIND</acronym> Resource Requirements </td>
 <td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
 <td width="40%" align="right" valign="top"> Chapter 4. Advanced DNS Features</td>
 </tr>
 </table>
 </div>
-<p style="text-align: center;">BIND 9.9.7 (Extended Support Version)</p>
+<p style="text-align: center;">BIND 9.9.7-P2 (Extended Support Version)</p>
 </body>
 </html>
Index: stable/9/contrib/bind9/doc/arm/Bv9ARM.ch04.html
===================================================================
--- stable/9/contrib/bind9/doc/arm/Bv9ARM.ch04.html	(revision 286123)
+++ stable/9/contrib/bind9/doc/arm/Bv9ARM.ch04.html	(revision 286124)
@@ -1,1940 +1,1940 @@
 <!--
  - Copyright (C) 2004-2015 Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000-2003 Internet Software Consortium.
  - 
  - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
  - copyright notice and this permission notice appear in all copies.
  - 
  - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
  - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
  - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
  - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
  - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 <!-- $Id$ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>Chapter 4. Advanced DNS Features</title>
 <meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
 <link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
 <link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
 <link rel="prev" href="Bv9ARM.ch03.html" title="Chapter 3. Name Server Configuration">
 <link rel="next" href="Bv9ARM.ch05.html" title="Chapter 5. The BIND 9 Lightweight Resolver">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
 <div class="navheader">
 <table width="100%" summary="Navigation header">
 <tr><th colspan="3" align="center">Chapter 4. Advanced DNS Features</th></tr>
 <tr>
 <td width="20%" align="left">
 <a accesskey="p" href="Bv9ARM.ch03.html">Prev</a> </td>
 <th width="60%" align="center"> </th>
 <td width="20%" align="right"> <a accesskey="n" href="Bv9ARM.ch05.html">Next</a>
 </td>
 </tr>
 </table>
 <hr>
 </div>
 <div class="chapter" lang="en">
 <div class="titlepage"><div><div><h2 class="title">
 <a name="Bv9ARM.ch04"></a>Chapter 4. Advanced DNS Features</h2></div></div></div>
 <div class="toc">
 <p><b>Table of Contents</b></p>
 <dl>
 <dt><span class="sect1"><a href="Bv9ARM.ch04.html#notify">Notify</a></span></dt>
 <dt><span class="sect1"><a href="Bv9ARM.ch04.html#dynamic_update">Dynamic Update</a></span></dt>
 <dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch04.html#journal">The journal file</a></span></dt></dl></dd>
 <dt><span class="sect1"><a href="Bv9ARM.ch04.html#incremental_zone_transfers">Incremental Zone Transfers (IXFR)</a></span></dt>
 <dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2564237">Split DNS</a></span></dt>
 <dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2564256">Example split DNS setup</a></span></dt></dl></dd>
 <dt><span class="sect1"><a href="Bv9ARM.ch04.html#tsig">TSIG</a></span></dt>
 <dd><dl>
 <dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2570560">Generate Shared Keys for Each Pair of Hosts</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2570701">Copying the Shared Secret to Both Machines</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2570712">Informing the Servers of the Key's Existence</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2570748">Instructing the Server to Use the Key</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2570806">TSIG Key Based Access Control</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2570855">Errors</a></span></dt>
 </dl></dd>
 <dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2570869">TKEY</a></span></dt>
 <dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2570918">SIG(0)</a></span></dt>
 <dt><span class="sect1"><a href="Bv9ARM.ch04.html#DNSSEC">DNSSEC</a></span></dt>
 <dd><dl>
 <dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571054">Generating Keys</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571338">Signing the Zone</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571419">Configuring Servers</a></span></dt>
 </dl></dd>
 <dt><span class="sect1"><a href="Bv9ARM.ch04.html#dnssec.dynamic.zones">DNSSEC, Dynamic Zones, and Automatic Signing</a></span></dt>
 <dd><dl>
 <dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2609449">Converting from insecure to secure</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2609486">Dynamic DNS update method</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563716">Fully automatic zone signing</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563963">Private-type records</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2564001">DNSKEY rollovers</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2564013">Dynamic DNS update method</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2569781">Automatic key rollovers</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2569808">NSEC3PARAM rollovers via UPDATE</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2569817">Converting from NSEC to NSEC3</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2569827">Converting from NSEC3 to NSEC</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2608888">Converting from secure to insecure</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2608925">Periodic re-signing</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2608935">NSEC3 and OPTOUT</a></span></dt>
 </dl></dd>
 <dt><span class="sect1"><a href="Bv9ARM.ch04.html#rfc5011.support">Dynamic Trust Anchor Management</a></span></dt>
 <dd><dl>
 <dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2569982">Validating Resolver</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2570005">Authoritative Server</a></span></dt>
 </dl></dd>
 <dt><span class="sect1"><a href="Bv9ARM.ch04.html#pkcs11">PKCS #11 (Cryptoki) support</a></span></dt>
 <dd><dl>
 <dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2609020">Prerequisites</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2610137">Building BIND 9 with PKCS#11</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2612651">PKCS #11 Tools</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2612682">Using the HSM</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2636637">Specifying the engine on the command line</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2636683">Running named with automatic zone re-signing</a></span></dt>
 </dl></dd>
 <dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2571639">IPv6 Support in <acronym class="acronym">BIND</acronym> 9</a></span></dt>
 <dd><dl>
 <dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571906">Address Lookups Using AAAA Records</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571927">Address to Name Lookups Using Nibble Format</a></span></dt>
 </dl></dd>
 </dl>
 </div>
 <div class="sect1" lang="en">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
 <a name="notify"></a>Notify</h2></div></div></div>
 <p>
         <acronym class="acronym">DNS</acronym> NOTIFY is a mechanism that allows master
         servers to notify their slave servers of changes to a zone's data. In
         response to a <span><strong class="command">NOTIFY</strong></span> from a master server, the
         slave will check to see that its version of the zone is the
         current version and, if not, initiate a zone transfer.
       </p>
 <p>
         For more information about <acronym class="acronym">DNS</acronym>
         <span><strong class="command">NOTIFY</strong></span>, see the description of the
         <span><strong class="command">notify</strong></span> option in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a> and
         the description of the zone option <span><strong class="command">also-notify</strong></span> in
         <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.  The <span><strong class="command">NOTIFY</strong></span>
         protocol is specified in RFC 1996.
       </p>
 <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
 <h3 class="title">Note</h3>
         As a slave zone can also be a master to other slaves, <span><strong class="command">named</strong></span>,
         by default, sends <span><strong class="command">NOTIFY</strong></span> messages for every zone
         it loads.  Specifying <span><strong class="command">notify master-only;</strong></span> will
         cause <span><strong class="command">named</strong></span> to only send <span><strong class="command">NOTIFY</strong></span> for master
         zones that it loads.
       </div>
 </div>
 <div class="sect1" lang="en">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
 <a name="dynamic_update"></a>Dynamic Update</h2></div></div></div>
 <p>
         Dynamic Update is a method for adding, replacing or deleting
         records in a master server by sending it a special form of DNS
         messages.  The format and meaning of these messages is specified
         in RFC 2136.
       </p>
 <p>
         Dynamic update is enabled by including an
         <span><strong class="command">allow-update</strong></span> or an <span><strong class="command">update-policy</strong></span>
         clause in the <span><strong class="command">zone</strong></span> statement.
       </p>
 <p>
         If the zone's <span><strong class="command">update-policy</strong></span> is set to
         <strong class="userinput"><code>local</code></strong>, updates to the zone
         will be permitted for the key <code class="varname">local-ddns</code>,
         which will be generated by <span><strong class="command">named</strong></span> at startup.
         See <a href="Bv9ARM.ch06.html#dynamic_update_policies" title="Dynamic Update Policies">the section called &#8220;Dynamic Update Policies&#8221;</a> for more details.
       </p>
 <p>
         Dynamic updates using Kerberos signed requests can be made
         using the TKEY/GSS protocol by setting either the
         <span><strong class="command">tkey-gssapi-keytab</strong></span> option, or alternatively
         by setting both the <span><strong class="command">tkey-gssapi-credential</strong></span>
         and <span><strong class="command">tkey-domain</strong></span> options. Once enabled,
         Kerberos signed requests will be matched against the update
         policies for the zone, using the Kerberos principal as the
         signer for the request.
       </p>
 <p>
         Updating of secure zones (zones using DNSSEC) follows RFC
         3007: RRSIG, NSEC and NSEC3 records affected by updates are
         automatically regenerated by the server using an online
         zone key.  Update authorization is based on transaction
         signatures and an explicit server policy.
       </p>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="journal"></a>The journal file</h3></div></div></div>
 <p>
           All changes made to a zone using dynamic update are stored
           in the zone's journal file.  This file is automatically created
           by the server when the first dynamic update takes place.
           The name of the journal file is formed by appending the extension
           <code class="filename">.jnl</code> to the name of the
           corresponding zone
           file unless specifically overridden.  The journal file is in a
           binary format and should not be edited manually.
         </p>
 <p>
           The server will also occasionally write ("dump")
           the complete contents of the updated zone to its zone file.
           This is not done immediately after
           each dynamic update, because that would be too slow when a large
           zone is updated frequently.  Instead, the dump is delayed by
           up to 15 minutes, allowing additional updates to take place.
           During the dump process, transient files will be created
           with the extensions <code class="filename">.jnw</code> and
           <code class="filename">.jbk</code>; under ordinary circumstances, these
           will be removed when the dump is complete, and can be safely
           ignored.
         </p>
 <p>
           When a server is restarted after a shutdown or crash, it will replay
               the journal file to incorporate into the zone any updates that
           took
           place after the last zone dump.
         </p>
 <p>
           Changes that result from incoming incremental zone transfers are
           also
           journalled in a similar way.
         </p>
 <p>
           The zone files of dynamic zones cannot normally be edited by
           hand because they are not guaranteed to contain the most recent
           dynamic changes &#8212; those are only in the journal file.
           The only way to ensure that the zone file of a dynamic zone
           is up to date is to run <span><strong class="command">rndc stop</strong></span>.
         </p>
 <p>
           If you have to make changes to a dynamic zone
           manually, the following procedure will work:
           Disable dynamic updates to the zone using
           <span><strong class="command">rndc freeze <em class="replaceable"><code>zone</code></em></strong></span>.
           This will update the zone's master file with the changes
           stored in its <code class="filename">.jnl</code> file.
           Edit the zone file.  Run
           <span><strong class="command">rndc thaw <em class="replaceable"><code>zone</code></em></strong></span>
           to reload the changed zone and re-enable dynamic updates.
         </p>
 <p>
           <span><strong class="command">rndc sync <em class="replaceable"><code>zone</code></em></strong></span>
           will update the zone file with changes from the journal file
           without stopping dynamic updates; this may be useful for viewing
           the current zone state.  To remove the <code class="filename">.jnl</code>
           file after updating the zone file, use
           <span><strong class="command">rndc sync -clean</strong></span>.
         </p>
 </div>
 </div>
 <div class="sect1" lang="en">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
 <a name="incremental_zone_transfers"></a>Incremental Zone Transfers (IXFR)</h2></div></div></div>
 <p>
         The incremental zone transfer (IXFR) protocol is a way for
         slave servers to transfer only changed data, instead of having to
         transfer the entire zone. The IXFR protocol is specified in RFC
         1995. See <a href="Bv9ARM.ch11.html#proposed_standards">Proposed Standards</a>.
       </p>
 <p>
         When acting as a master, <acronym class="acronym">BIND</acronym> 9
         supports IXFR for those zones
         where the necessary change history information is available. These
         include master zones maintained by dynamic update and slave zones
         whose data was obtained by IXFR.  For manually maintained master
         zones, and for slave zones obtained by performing a full zone
         transfer (AXFR), IXFR is supported only if the option
         <span><strong class="command">ixfr-from-differences</strong></span> is set
         to <strong class="userinput"><code>yes</code></strong>.
       </p>
 <p>
         When acting as a slave, <acronym class="acronym">BIND</acronym> 9 will
         attempt to use IXFR unless
         it is explicitly disabled. For more information about disabling
         IXFR, see the description of the <span><strong class="command">request-ixfr</strong></span> clause
         of the <span><strong class="command">server</strong></span> statement.
       </p>
 </div>
 <div class="sect1" lang="en">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
 <a name="id2564237"></a>Split DNS</h2></div></div></div>
 <p>
         Setting up different views, or visibility, of the DNS space to
         internal and external resolvers is usually referred to as a
         <span class="emphasis"><em>Split DNS</em></span> setup. There are several
         reasons an organization would want to set up its DNS this way.
       </p>
 <p>
         One common reason for setting up a DNS system this way is
         to hide "internal" DNS information from "external" clients on the
         Internet. There is some debate as to whether or not this is actually
         useful.
         Internal DNS information leaks out in many ways (via email headers,
         for example) and most savvy "attackers" can find the information
         they need using other means.
         However, since listing addresses of internal servers that
         external clients cannot possibly reach can result in
         connection delays and other annoyances, an organization may
         choose to use a Split DNS to present a consistent view of itself
         to the outside world.
       </p>
 <p>
         Another common reason for setting up a Split DNS system is
         to allow internal networks that are behind filters or in RFC 1918
         space (reserved IP space, as documented in RFC 1918) to resolve DNS
         on the Internet. Split DNS can also be used to allow mail from outside
         back in to the internal network.
       </p>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="id2564256"></a>Example split DNS setup</h3></div></div></div>
 <p>
         Let's say a company named <span class="emphasis"><em>Example, Inc.</em></span>
         (<code class="literal">example.com</code>)
         has several corporate sites that have an internal network with
         reserved
         Internet Protocol (IP) space and an external demilitarized zone (DMZ),
         or "outside" section of a network, that is available to the public.
       </p>
 <p>
         <span class="emphasis"><em>Example, Inc.</em></span> wants its internal clients
         to be able to resolve external hostnames and to exchange mail with
         people on the outside. The company also wants its internal resolvers
         to have access to certain internal-only zones that are not available
         at all outside of the internal network.
       </p>
 <p>
         In order to accomplish this, the company will set up two sets
         of name servers. One set will be on the inside network (in the
         reserved
         IP space) and the other set will be on bastion hosts, which are
         "proxy"
         hosts that can talk to both sides of its network, in the DMZ.
       </p>
 <p>
         The internal servers will be configured to forward all queries,
         except queries for <code class="filename">site1.internal</code>, <code class="filename">site2.internal</code>, <code class="filename">site1.example.com</code>,
         and <code class="filename">site2.example.com</code>, to the servers
         in the
         DMZ. These internal servers will have complete sets of information
         for <code class="filename">site1.example.com</code>, <code class="filename">site2.example.com</code>, <code class="filename">site1.internal</code>,
         and <code class="filename">site2.internal</code>.
       </p>
 <p>
         To protect the <code class="filename">site1.internal</code> and <code class="filename">site2.internal</code> domains,
         the internal name servers must be configured to disallow all queries
         to these domains from any external hosts, including the bastion
         hosts.
       </p>
 <p>
         The external servers, which are on the bastion hosts, will
         be configured to serve the "public" version of the <code class="filename">site1</code> and <code class="filename">site2.example.com</code> zones.
         This could include things such as the host records for public servers
         (<code class="filename">www.example.com</code> and <code class="filename">ftp.example.com</code>),
         and mail exchange (MX)  records (<code class="filename">a.mx.example.com</code> and <code class="filename">b.mx.example.com</code>).
       </p>
 <p>
         In addition, the public <code class="filename">site1</code> and <code class="filename">site2.example.com</code> zones
         should have special MX records that contain wildcard (`*') records
         pointing to the bastion hosts. This is needed because external mail
         servers do not have any other way of looking up how to deliver mail
         to those internal hosts. With the wildcard records, the mail will
         be delivered to the bastion host, which can then forward it on to
         internal hosts.
       </p>
 <p>
         Here's an example of a wildcard MX record:
       </p>
 <pre class="programlisting">*   IN MX 10 external1.example.com.</pre>
 <p>
         Now that they accept mail on behalf of anything in the internal
         network, the bastion hosts will need to know how to deliver mail
         to internal hosts. In order for this to work properly, the resolvers
         on
         the bastion hosts will need to be configured to point to the internal
         name servers for DNS resolution.
       </p>
 <p>
         Queries for internal hostnames will be answered by the internal
         servers, and queries for external hostnames will be forwarded back
         out to the DNS servers on the bastion hosts.
       </p>
 <p>
         In order for all this to work properly, internal clients will
         need to be configured to query <span class="emphasis"><em>only</em></span> the internal
         name servers for DNS queries. This could also be enforced via
         selective
         filtering on the network.
       </p>
 <p>
         If everything has been set properly, <span class="emphasis"><em>Example, Inc.</em></span>'s
         internal clients will now be able to:
       </p>
 <div class="itemizedlist"><ul type="disc">
 <li>
             Look up any hostnames in the <code class="literal">site1</code>
             and
             <code class="literal">site2.example.com</code> zones.
           </li>
 <li>
             Look up any hostnames in the <code class="literal">site1.internal</code> and
             <code class="literal">site2.internal</code> domains.
           </li>
 <li>Look up any hostnames on the Internet.</li>
 <li>Exchange mail with both internal and external people.</li>
 </ul></div>
 <p>
         Hosts on the Internet will be able to:
       </p>
 <div class="itemizedlist"><ul type="disc">
 <li>
             Look up any hostnames in the <code class="literal">site1</code>
             and
             <code class="literal">site2.example.com</code> zones.
           </li>
 <li>
             Exchange mail with anyone in the <code class="literal">site1</code> and
             <code class="literal">site2.example.com</code> zones.
           </li>
 </ul></div>
 <p>
         Here is an example configuration for the setup we just
         described above. Note that this is only configuration information;
         for information on how to configure your zone files, see <a href="Bv9ARM.ch03.html#sample_configuration" title="Sample Configurations">the section called &#8220;Sample Configurations&#8221;</a>.
       </p>
 <p>
         Internal DNS server config:
       </p>
 <pre class="programlisting">
 
 acl internals { 172.16.72.0/24; 192.168.1.0/24; };
 
 acl externals { <code class="varname">bastion-ips-go-here</code>; };
 
 options {
     ...
     ...
     forward only;
     // forward to external servers
     forwarders {
         <code class="varname">bastion-ips-go-here</code>;
     };
     // sample allow-transfer (no one)
     allow-transfer { none; };
     // restrict query access
     allow-query { internals; externals; };
     // restrict recursion
     allow-recursion { internals; };
     ...
     ...
 };
 
 // sample master zone
 zone "site1.example.com" {
   type master;
   file "m/site1.example.com";
   // do normal iterative resolution (do not forward)
   forwarders { };
   allow-query { internals; externals; };
   allow-transfer { internals; };
 };
 
 // sample slave zone
 zone "site2.example.com" {
   type slave;
   file "s/site2.example.com";
   masters { 172.16.72.3; };
   forwarders { };
   allow-query { internals; externals; };
   allow-transfer { internals; };
 };
 
 zone "site1.internal" {
   type master;
   file "m/site1.internal";
   forwarders { };
   allow-query { internals; };
   allow-transfer { internals; }
 };
 
 zone "site2.internal" {
   type slave;
   file "s/site2.internal";
   masters { 172.16.72.3; };
   forwarders { };
   allow-query { internals };
   allow-transfer { internals; }
 };
 </pre>
 <p>
         External (bastion host) DNS server config:
       </p>
 <pre class="programlisting">
 acl internals { 172.16.72.0/24; 192.168.1.0/24; };
 
 acl externals { bastion-ips-go-here; };
 
 options {
   ...
   ...
   // sample allow-transfer (no one)
   allow-transfer { none; };
   // default query access
   allow-query { any; };
   // restrict cache access
   allow-query-cache { internals; externals; };
   // restrict recursion
   allow-recursion { internals; externals; };
   ...
   ...
 };
 
 // sample slave zone
 zone "site1.example.com" {
   type master;
   file "m/site1.foo.com";
   allow-transfer { internals; externals; };
 };
 
 zone "site2.example.com" {
   type slave;
   file "s/site2.foo.com";
   masters { another_bastion_host_maybe; };
   allow-transfer { internals; externals; }
 };
 </pre>
 <p>
         In the <code class="filename">resolv.conf</code> (or equivalent) on
         the bastion host(s):
       </p>
 <pre class="programlisting">
 search ...
 nameserver 172.16.72.2
 nameserver 172.16.72.3
 nameserver 172.16.72.4
 </pre>
 </div>
 </div>
 <div class="sect1" lang="en">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
 <a name="tsig"></a>TSIG</h2></div></div></div>
 <p>
         This is a short guide to setting up Transaction SIGnatures
         (TSIG) based transaction security in <acronym class="acronym">BIND</acronym>. It describes changes
         to the configuration file as well as what changes are required for
         different features, including the process of creating transaction
         keys and using transaction signatures with <acronym class="acronym">BIND</acronym>.
       </p>
 <p>
         <acronym class="acronym">BIND</acronym> primarily supports TSIG for server
         to server communication.
         This includes zone transfer, notify, and recursive query messages.
         Resolvers based on newer versions of <acronym class="acronym">BIND</acronym> 8 have limited support
         for TSIG.
       </p>
 <p>
         TSIG can also be useful for dynamic update. A primary
         server for a dynamic zone should control access to the dynamic
         update service, but IP-based access control is insufficient.
         The cryptographic access control provided by TSIG
         is far superior. The <span><strong class="command">nsupdate</strong></span>
         program supports TSIG via the <code class="option">-k</code> and
         <code class="option">-y</code> command line options or inline by use
         of the <span><strong class="command">key</strong></span>.
       </p>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="id2570560"></a>Generate Shared Keys for Each Pair of Hosts</h3></div></div></div>
 <p>
           A shared secret is generated to be shared between <span class="emphasis"><em>host1</em></span> and <span class="emphasis"><em>host2</em></span>.
           An arbitrary key name is chosen: "host1-host2.". The key name must
           be the same on both hosts.
         </p>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="id2570577"></a>Automatic Generation</h4></div></div></div>
 <p>
             The following command will generate a 128-bit (16 byte) HMAC-SHA256
             key as described above. Longer keys are better, but shorter keys
             are easier to read. Note that the maximum key length is the digest
             length, here 256 bits.
           </p>
 <p>
             <strong class="userinput"><code>dnssec-keygen -a hmac-sha256 -b 128 -n HOST host1-host2.</code></strong>
           </p>
 <p>
             The key is in the file <code class="filename">Khost1-host2.+163+00000.private</code>.
             Nothing directly uses this file, but the base-64 encoded string
             following "<code class="literal">Key:</code>"
             can be extracted from the file and used as a shared secret:
           </p>
 <pre class="programlisting">Key: La/E5CjG9O+os1jq0a2jdA==</pre>
 <p>
             The string "<code class="literal">La/E5CjG9O+os1jq0a2jdA==</code>" can
             be used as the shared secret.
           </p>
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="id2570683"></a>Manual Generation</h4></div></div></div>
 <p>
             The shared secret is simply a random sequence of bits, encoded
             in base-64. Most ASCII strings are valid base-64 strings (assuming
             the length is a multiple of 4 and only valid characters are used),
             so the shared secret can be manually generated.
           </p>
 <p>
             Also, a known string can be run through <span><strong class="command">mmencode</strong></span> or
             a similar program to generate base-64 encoded data.
           </p>
 </div>
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="id2570701"></a>Copying the Shared Secret to Both Machines</h3></div></div></div>
 <p>
           This is beyond the scope of DNS. A secure transport mechanism
           should be used. This could be secure FTP, ssh, telephone, etc.
         </p>
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="id2570712"></a>Informing the Servers of the Key's Existence</h3></div></div></div>
 <p>
           Imagine <span class="emphasis"><em>host1</em></span> and <span class="emphasis"><em>host 2</em></span>
           are
           both servers. The following is added to each server's <code class="filename">named.conf</code> file:
         </p>
 <pre class="programlisting">
 key host1-host2. {
   algorithm hmac-sha256;
   secret "La/E5CjG9O+os1jq0a2jdA==";
 };
 </pre>
 <p>
           The secret is the one generated above. Since this is a secret, it
           is recommended that either <code class="filename">named.conf</code> be
           non-world readable, or the key directive be added to a non-world
           readable file that is included by <code class="filename">named.conf</code>.
         </p>
 <p>
           At this point, the key is recognized. This means that if the
           server receives a message signed by this key, it can verify the
           signature. If the signature is successfully verified, the
           response is signed by the same key.
         </p>
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="id2570748"></a>Instructing the Server to Use the Key</h3></div></div></div>
 <p>
           Since keys are shared between two hosts only, the server must
           be told when keys are to be used. The following is added to the <code class="filename">named.conf</code> file
           for <span class="emphasis"><em>host1</em></span>, if the IP address of <span class="emphasis"><em>host2</em></span> is
           10.1.2.3:
         </p>
 <pre class="programlisting">
 server 10.1.2.3 {
   keys { host1-host2. ;};
 };
 </pre>
 <p>
           Multiple keys may be present, but only the first is used.
           This directive does not contain any secrets, so it may be in a
           world-readable
           file.
         </p>
 <p>
           If <span class="emphasis"><em>host1</em></span> sends a message that is a request
           to that address, the message will be signed with the specified key. <span class="emphasis"><em>host1</em></span> will
           expect any responses to signed messages to be signed with the same
           key.
         </p>
 <p>
           A similar statement must be present in <span class="emphasis"><em>host2</em></span>'s
           configuration file (with <span class="emphasis"><em>host1</em></span>'s address) for <span class="emphasis"><em>host2</em></span> to
           sign request messages to <span class="emphasis"><em>host1</em></span>.
         </p>
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="id2570806"></a>TSIG Key Based Access Control</h3></div></div></div>
 <p>
           <acronym class="acronym">BIND</acronym> allows IP addresses and ranges
           to be specified in ACL
           definitions and
           <span><strong class="command">allow-{ query | transfer | update }</strong></span>
           directives.
           This has been extended to allow TSIG keys also. The above key would
           be denoted <span><strong class="command">key host1-host2.</strong></span>
         </p>
 <p>
           An example of an <span><strong class="command">allow-update</strong></span> directive would be:
         </p>
 <pre class="programlisting">
 allow-update { key host1-host2. ;};
 </pre>
 <p>
           This allows dynamic updates to succeed only if the request
           was signed by a key named "<span><strong class="command">host1-host2.</strong></span>".
         </p>
 <p>
           See <a href="Bv9ARM.ch06.html#dynamic_update_policies" title="Dynamic Update Policies">the section called &#8220;Dynamic Update Policies&#8221;</a> for a discussion of
           the more flexible <span><strong class="command">update-policy</strong></span> statement.
         </p>
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="id2570855"></a>Errors</h3></div></div></div>
 <p>
           The processing of TSIG signed messages can result in
           several errors. If a signed message is sent to a non-TSIG aware
           server, a FORMERR (format error) will be returned, since the server will not
           understand the record. This is a result of misconfiguration,
           since the server must be explicitly configured to send a TSIG
           signed message to a specific server.
         </p>
 <p>
           If a TSIG aware server receives a message signed by an
           unknown key, the response will be unsigned with the TSIG
           extended error code set to BADKEY. If a TSIG aware server
           receives a message with a signature that does not validate, the
           response will be unsigned with the TSIG extended error code set
           to BADSIG. If a TSIG aware server receives a message with a time
           outside of the allowed range, the response will be signed with
           the TSIG extended error code set to BADTIME, and the time values
           will be adjusted so that the response can be successfully
           verified. In any of these cases, the message's rcode (response code) is set to
           NOTAUTH (not authenticated).
         </p>
 </div>
 </div>
 <div class="sect1" lang="en">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
 <a name="id2570869"></a>TKEY</h2></div></div></div>
 <p><span><strong class="command">TKEY</strong></span>
         is a mechanism for automatically generating a shared secret
         between two hosts.  There are several "modes" of
         <span><strong class="command">TKEY</strong></span> that specify how the key is generated
         or assigned.  <acronym class="acronym">BIND</acronym> 9 implements only one of
         these modes, the Diffie-Hellman key exchange.  Both hosts are
         required to have a Diffie-Hellman KEY record (although this
         record is not required to be present in a zone).  The
         <span><strong class="command">TKEY</strong></span> process must use signed messages,
         signed either by TSIG or SIG(0).  The result of
         <span><strong class="command">TKEY</strong></span> is a shared secret that can be used to
         sign messages with TSIG.  <span><strong class="command">TKEY</strong></span> can also be
         used to delete shared secrets that it had previously
         generated.
       </p>
 <p>
         The <span><strong class="command">TKEY</strong></span> process is initiated by a
         client
         or server by sending a signed <span><strong class="command">TKEY</strong></span>
         query
         (including any appropriate KEYs) to a TKEY-aware server.  The
         server response, if it indicates success, will contain a
         <span><strong class="command">TKEY</strong></span> record and any appropriate keys.
         After
         this exchange, both participants have enough information to
         determine the shared secret; the exact process depends on the
         <span><strong class="command">TKEY</strong></span> mode.  When using the
         Diffie-Hellman
         <span><strong class="command">TKEY</strong></span> mode, Diffie-Hellman keys are
         exchanged,
         and the shared secret is derived by both participants.
       </p>
 </div>
 <div class="sect1" lang="en">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
 <a name="id2570918"></a>SIG(0)</h2></div></div></div>
 <p>
         <acronym class="acronym">BIND</acronym> 9 partially supports DNSSEC SIG(0)
             transaction signatures as specified in RFC 2535 and RFC 2931.
         SIG(0)
         uses public/private keys to authenticate messages.  Access control
         is performed in the same manner as TSIG keys; privileges can be
         granted or denied based on the key name.
       </p>
 <p>
         When a SIG(0) signed message is received, it will only be
         verified if the key is known and trusted by the server; the server
         will not attempt to locate and/or validate the key.
       </p>
 <p>
         SIG(0) signing of multiple-message TCP streams is not
         supported.
       </p>
 <p>
         The only tool shipped with <acronym class="acronym">BIND</acronym> 9 that
         generates SIG(0) signed messages is <span><strong class="command">nsupdate</strong></span>.
       </p>
 </div>
 <div class="sect1" lang="en">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
 <a name="DNSSEC"></a>DNSSEC</h2></div></div></div>
 <p>
         Cryptographic authentication of DNS information is possible
         through the DNS Security (<span class="emphasis"><em>DNSSEC-bis</em></span>) extensions,
         defined in RFC 4033, RFC 4034, and RFC 4035.
         This section describes the creation and use of DNSSEC signed zones.
       </p>
 <p>
         In order to set up a DNSSEC secure zone, there are a series
         of steps which must be followed.  <acronym class="acronym">BIND</acronym>
         9 ships
         with several tools
         that are used in this process, which are explained in more detail
         below.  In all cases, the <code class="option">-h</code> option prints a
         full list of parameters.  Note that the DNSSEC tools require the
         keyset files to be in the working directory or the
         directory specified by the <code class="option">-d</code> option, and
         that the tools shipped with BIND 9.2.x and earlier are not compatible
         with the current ones.
       </p>
 <p>
         There must also be communication with the administrators of
         the parent and/or child zone to transmit keys.  A zone's security
         status must be indicated by the parent zone for a DNSSEC capable
         resolver to trust its data.  This is done through the presence
         or absence of a <code class="literal">DS</code> record at the
         delegation
         point.
       </p>
 <p>
         For other servers to trust data in this zone, they must
         either be statically configured with this zone's zone key or the
         zone key of another zone above this one in the DNS tree.
       </p>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="id2571054"></a>Generating Keys</h3></div></div></div>
 <p>
           The <span><strong class="command">dnssec-keygen</strong></span> program is used to
           generate keys.
         </p>
 <p>
           A secure zone must contain one or more zone keys.  The
           zone keys will sign all other records in the zone, as well as
           the zone keys of any secure delegated zones.  Zone keys must
           have the same name as the zone, a name type of
           <span><strong class="command">ZONE</strong></span>, and must be usable for
           authentication.
           It is recommended that zone keys use a cryptographic algorithm
           designated as "mandatory to implement" by the IETF; currently
           the only one is RSASHA1.
         </p>
 <p>
           The following command will generate a 768-bit RSASHA1 key for
           the <code class="filename">child.example</code> zone:
         </p>
 <p>
           <strong class="userinput"><code>dnssec-keygen -a RSASHA1 -b 768 -n ZONE child.example.</code></strong>
         </p>
 <p>
           Two output files will be produced:
           <code class="filename">Kchild.example.+005+12345.key</code> and
           <code class="filename">Kchild.example.+005+12345.private</code>
           (where
           12345 is an example of a key tag).  The key filenames contain
           the key name (<code class="filename">child.example.</code>),
           algorithm (3
           is DSA, 1 is RSAMD5, 5 is RSASHA1, etc.), and the key tag (12345 in
           this case).
           The private key (in the <code class="filename">.private</code>
           file) is
           used to generate signatures, and the public key (in the
           <code class="filename">.key</code> file) is used for signature
           verification.
         </p>
 <p>
           To generate another key with the same properties (but with
           a different key tag), repeat the above command.
         </p>
 <p>
           The <span><strong class="command">dnssec-keyfromlabel</strong></span> program is used
           to get a key pair from a crypto hardware and build the key
           files. Its usage is similar to <span><strong class="command">dnssec-keygen</strong></span>.
         </p>
 <p>
           The public keys should be inserted into the zone file by
           including the <code class="filename">.key</code> files using
           <span><strong class="command">$INCLUDE</strong></span> statements.
         </p>
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="id2571338"></a>Signing the Zone</h3></div></div></div>
 <p>
           The <span><strong class="command">dnssec-signzone</strong></span> program is used
           to sign a zone.
         </p>
 <p>
           Any <code class="filename">keyset</code> files corresponding to
           secure subzones should be present.  The zone signer will
           generate <code class="literal">NSEC</code>, <code class="literal">NSEC3</code>
           and <code class="literal">RRSIG</code> records for the zone, as
           well as <code class="literal">DS</code> for the child zones if
           <code class="literal">'-g'</code> is specified.  If <code class="literal">'-g'</code>
           is not specified, then DS RRsets for the secure child
           zones need to be added manually.
         </p>
 <p>
           The following command signs the zone, assuming it is in a
           file called <code class="filename">zone.child.example</code>.  By
                 default, all zone keys which have an available private key are
                 used to generate signatures.
         </p>
 <p>
           <strong class="userinput"><code>dnssec-signzone -o child.example zone.child.example</code></strong>
         </p>
 <p>
           One output file is produced:
           <code class="filename">zone.child.example.signed</code>.  This
           file
           should be referenced by <code class="filename">named.conf</code>
           as the
           input file for the zone.
         </p>
 <p><span><strong class="command">dnssec-signzone</strong></span>
           will also produce a keyset and dsset files and optionally a
           dlvset file.  These are used to provide the parent zone
           administrators with the <code class="literal">DNSKEYs</code> (or their
           corresponding <code class="literal">DS</code> records) that are the
           secure entry point to the zone.
         </p>
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="id2571419"></a>Configuring Servers</h3></div></div></div>
 <p>
           To enable <span><strong class="command">named</strong></span> to respond appropriately
           to DNS requests from DNSSEC aware clients,
           <span><strong class="command">dnssec-enable</strong></span> must be set to yes.
           (This is the default setting.)
         </p>
 <p>
           To enable <span><strong class="command">named</strong></span> to validate answers from
           other servers, the <span><strong class="command">dnssec-enable</strong></span> option
           must be set to <strong class="userinput"><code>yes</code></strong>, and the
           <span><strong class="command">dnssec-validation</strong></span> options must be set to 
           <strong class="userinput"><code>yes</code></strong> or <strong class="userinput"><code>auto</code></strong>.
         </p>
 <p>
           If <span><strong class="command">dnssec-validation</strong></span> is set to
           <strong class="userinput"><code>auto</code></strong>, then a default
           trust anchor for the DNS root zone will be used.
           If it is set to <strong class="userinput"><code>yes</code></strong>, however,
           then at least one trust anchor must be configured
           with a <span><strong class="command">trusted-keys</strong></span> or
           <span><strong class="command">managed-keys</strong></span> statement in
           <code class="filename">named.conf</code>, or DNSSEC validation
           will not occur.  The default setting is
           <strong class="userinput"><code>yes</code></strong>.
         </p>
 <p>
           <span><strong class="command">trusted-keys</strong></span> are copies of DNSKEY RRs
           for zones that are used to form the first link in the
           cryptographic chain of trust.  All keys listed in
           <span><strong class="command">trusted-keys</strong></span> (and corresponding zones)
           are deemed to exist and only the listed keys will be used
           to validated the DNSKEY RRset that they are from.
         </p>
 <p>
           <span><strong class="command">managed-keys</strong></span> are trusted keys which are
           automatically kept up to date via RFC 5011 trust anchor
           maintenance.
         </p>
 <p>
           <span><strong class="command">trusted-keys</strong></span> and
           <span><strong class="command">managed-keys</strong></span> are described in more detail
           later in this document.
         </p>
 <p>
           Unlike <acronym class="acronym">BIND</acronym> 8, <acronym class="acronym">BIND</acronym>
           9 does not verify signatures on load, so zone keys for
           authoritative zones do not need to be specified in the
           configuration file.
         </p>
 <p>
           After DNSSEC gets established, a typical DNSSEC configuration
           will look something like the following.  It has one or
           more public keys for the root.  This allows answers from
           outside the organization to be validated.  It will also
           have several keys for parts of the namespace the organization
           controls.  These are here to ensure that <span><strong class="command">named</strong></span>
           is immune to compromises in the DNSSEC components of the security
           of parent zones.
         </p>
 <pre class="programlisting">
 managed-keys {
         /* Root Key */
         "." initial-key 257 3 3 "BNY4wrWM1nCfJ+CXd0rVXyYmobt7sEEfK3clRbGaTwS
                                  JxrGkxJWoZu6I7PzJu/E9gx4UC1zGAHlXKdE4zYIpRh
                                  aBKnvcC2U9mZhkdUpd1Vso/HAdjNe8LmMlnzY3zy2Xy
                                  4klWOADTPzSv9eamj8V18PHGjBLaVtYvk/ln5ZApjYg
                                  hf+6fElrmLkdaz MQ2OCnACR817DF4BBa7UR/beDHyp
                                  5iWTXWSi6XmoJLbG9Scqc7l70KDqlvXR3M/lUUVRbke
                                  g1IPJSidmK3ZyCllh4XSKbje/45SKucHgnwU5jefMtq
                                  66gKodQj+MiA21AfUVe7u99WzTLzY3qlxDhxYQQ20FQ
                                  97S+LKUTpQcq27R7AT3/V5hRQxScINqwcz4jYqZD2fQ
                                  dgxbcDTClU0CRBdiieyLMNzXG3";
 };
 
 trusted-keys {
         /* Key for our organization's forward zone */
         example.com. 257 3 5 "AwEAAaxPMcR2x0HbQV4WeZB6oEDX+r0QM6
                               5KbhTjrW1ZaARmPhEZZe3Y9ifgEuq7vZ/z
                               GZUdEGNWy+JZzus0lUptwgjGwhUS1558Hb
                               4JKUbbOTcM8pwXlj0EiX3oDFVmjHO444gL
                               kBOUKUf/mC7HvfwYH/Be22GnClrinKJp1O
                               g4ywzO9WglMk7jbfW33gUKvirTHr25GL7S
                               TQUzBb5Usxt8lgnyTUHs1t3JwCY5hKZ6Cq
                               FxmAVZP20igTixin/1LcrgX/KMEGd/biuv
                               F4qJCyduieHukuY3H4XMAcR+xia2nIUPvm
                               /oyWR8BW/hWdzOvnSCThlHf3xiYleDbt/o
                               1OTQ09A0=";
 
         /* Key for our reverse zone. */
         2.0.192.IN-ADDRPA.NET. 257 3 5 "AQOnS4xn/IgOUpBPJ3bogzwc
                                        xOdNax071L18QqZnQQQAVVr+i
                                        LhGTnNGp3HoWQLUIzKrJVZ3zg
                                        gy3WwNT6kZo6c0tszYqbtvchm
                                        gQC8CzKojM/W16i6MG/eafGU3
                                        siaOdS0yOI6BgPsw+YZdzlYMa
                                        IJGf4M4dyoKIhzdZyQ2bYQrjy
                                        Q4LB0lC7aOnsMyYKHHYeRvPxj
                                        IQXmdqgOJGq+vsevG06zW+1xg
                                        YJh9rCIfnm1GX/KMgxLPG2vXT
                                        D/RnLX+D3T3UL7HJYHJhAZD5L
                                        59VvjSPsZJHeDCUyWYrvPZesZ
                                        DIRvhDD52SKvbheeTJUm6Ehkz
                                        ytNN2SN96QRk8j/iI8ib";
 };
 
 options {
         ...
         dnssec-enable yes;
         dnssec-validation yes;
 };
 </pre>
 <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
 <h3 class="title">Note</h3>
           None of the keys listed in this example are valid.  In particular,
           the root key is not valid.
         </div>
 <p>
           When DNSSEC validation is enabled and properly configured,
           the resolver will reject any answers from signed, secure zones
           which fail to validate, and will return SERVFAIL to the client.
         </p>
 <p>
           Responses may fail to validate for any of several reasons,
           including missing, expired, or invalid signatures, a key which
           does not match the DS RRset in the parent zone, or an insecure
           response from a zone which, according to its parent, should have
           been secure.  
         </p>
 <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
 <h3 class="title">Note</h3>
 <p>
             When the validator receives a response from an unsigned zone
             that has a signed parent, it must confirm with the parent
             that the zone was intentionally left unsigned.  It does
             this by verifying, via signed and validated NSEC/NSEC3 records,
             that the parent zone contains no DS records for the child.
           </p>
 <p>
             If the validator <span class="emphasis"><em>can</em></span> prove that the zone
             is insecure, then the response is accepted.  However, if it
             cannot, then it must assume an insecure response to be a
             forgery; it rejects the response and logs an error.
           </p>
 <p>
             The logged error reads "insecurity proof failed" and
             "got insecure response; parent indicates it should be secure".
             (Prior to BIND 9.7, the logged error was "not insecure".
             This referred to the zone, not the response.)
           </p>
 </div>
 </div>
 </div>
 <div class="sect1" lang="en">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
 <a name="dnssec.dynamic.zones"></a>DNSSEC, Dynamic Zones, and Automatic Signing</h2></div></div></div>
 <p>As of BIND 9.7.0 it is possible to change a dynamic zone
   from insecure to signed and back again. A secure zone can use
   either NSEC or NSEC3 chains.</p>
 <div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title">
 <a name="id2609449"></a>Converting from insecure to secure</h3></div></div></div></div>
 <p>Changing a zone from insecure to secure can be done in two
   ways: using a dynamic DNS update, or the 
   <span><strong class="command">auto-dnssec</strong></span> zone option.</p>
 <p>For either method, you need to configure 
   <span><strong class="command">named</strong></span> so that it can see the 
   <code class="filename">K*</code> files which contain the public and private
   parts of the keys that will be used to sign the zone. These files
   will have been generated by 
   <span><strong class="command">dnssec-keygen</strong></span>. You can do this by placing them
   in the key-directory, as specified in 
   <code class="filename">named.conf</code>:</p>
 <pre class="programlisting">
         zone example.net {
                 type master;
                 update-policy local;
                 file "dynamic/example.net/example.net";
                 key-directory "dynamic/example.net";
         };
 </pre>
 <p>If one KSK and one ZSK DNSKEY key have been generated, this
   configuration will cause all records in the zone to be signed
   with the ZSK, and the DNSKEY RRset to be signed with the KSK as
   well. An NSEC chain will be generated as part of the initial
   signing process.</p>
 <div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title">
 <a name="id2609486"></a>Dynamic DNS update method</h3></div></div></div></div>
 <p>To insert the keys via dynamic update:</p>
 <pre class="screen">
         % nsupdate
         &gt; ttl 3600
         &gt; update add example.net DNSKEY 256 3 7 AwEAAZn17pUF0KpbPA2c7Gz76Vb18v0teKT3EyAGfBfL8eQ8al35zz3Y I1m/SAQBxIqMfLtIwqWPdgthsu36azGQAX8=
         &gt; update add example.net DNSKEY 257 3 7 AwEAAd/7odU/64o2LGsifbLtQmtO8dFDtTAZXSX2+X3e/UNlq9IHq3Y0 XtC0Iuawl/qkaKVxXe2lo8Ct+dM6UehyCqk=
         &gt; send
 </pre>
 <p>While the update request will complete almost immediately,
   the zone will not be completely signed until 
   <span><strong class="command">named</strong></span> has had time to walk the zone and
   generate the NSEC and RRSIG records. The NSEC record at the apex
   will be added last, to signal that there is a complete NSEC
   chain.</p>
 <p>If you wish to sign using NSEC3 instead of NSEC, you should
   add an NSEC3PARAM record to the initial update request. If you
   wish the NSEC3 chain to have the OPTOUT bit set, set it in the
   flags field of the NSEC3PARAM record.</p>
 <pre class="screen">
         % nsupdate
         &gt; ttl 3600
         &gt; update add example.net DNSKEY 256 3 7 AwEAAZn17pUF0KpbPA2c7Gz76Vb18v0teKT3EyAGfBfL8eQ8al35zz3Y I1m/SAQBxIqMfLtIwqWPdgthsu36azGQAX8=
         &gt; update add example.net DNSKEY 257 3 7 AwEAAd/7odU/64o2LGsifbLtQmtO8dFDtTAZXSX2+X3e/UNlq9IHq3Y0 XtC0Iuawl/qkaKVxXe2lo8Ct+dM6UehyCqk=
         &gt; update add example.net NSEC3PARAM 1 1 100 1234567890
         &gt; send
 </pre>
 <p>Again, this update request will complete almost
   immediately; however, the record won't show up until 
   <span><strong class="command">named</strong></span> has had a chance to build/remove the
   relevant chain. A private type record will be created to record
   the state of the operation (see below for more details), and will
   be removed once the operation completes.</p>
 <p>While the initial signing and NSEC/NSEC3 chain generation
   is happening, other updates are possible as well.</p>
 <div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title">
 <a name="id2563716"></a>Fully automatic zone signing</h3></div></div></div></div>
 <p>To enable automatic signing, add the 
   <span><strong class="command">auto-dnssec</strong></span> option to the zone statement in 
   <code class="filename">named.conf</code>. 
   <span><strong class="command">auto-dnssec</strong></span> has two possible arguments: 
   <code class="constant">allow</code> or 
   <code class="constant">maintain</code>.</p>
 <p>With 
   <span><strong class="command">auto-dnssec allow</strong></span>, 
   <span><strong class="command">named</strong></span> can search the key directory for keys
   matching the zone, insert them into the zone, and use them to
   sign the zone. It will do so only when it receives an 
   <span><strong class="command">rndc sign &lt;zonename&gt;</strong></span>.</p>
 <p>
   
   <span><strong class="command">auto-dnssec maintain</strong></span> includes the above
   functionality, but will also automatically adjust the zone's
   DNSKEY records on schedule according to the keys' timing metadata.
   (See <a href="man.dnssec-keygen.html" title="dnssec-keygen"><span class="refentrytitle"><span class="application">dnssec-keygen</span></span>(8)</a> and
   <a href="man.dnssec-settime.html" title="dnssec-settime"><span class="refentrytitle"><span class="application">dnssec-settime</span></span>(8)</a> for more information.) 
   </p>
 <p>
   <span><strong class="command">named</strong></span> will periodically search the key directory
   for keys matching the zone, and if the keys' metadata indicates
   that any change should be made the zone, such as adding, removing,
   or revoking a key, then that action will be carried out.  By default,
   the key directory is checked for changes every 60 minutes; this period
   can be adjusted with the <code class="option">dnssec-loadkeys-interval</code>, up
   to a maximum of 24 hours.  The <span><strong class="command">rndc loadkeys</strong></span> forces
   <span><strong class="command">named</strong></span> to check for key updates immediately.
   </p>
 <p>
   If keys are present in the key directory the first time the zone
   is loaded, the zone will be signed immediately, without waiting for an 
   <span><strong class="command">rndc sign</strong></span> or <span><strong class="command">rndc loadkeys</strong></span>
   command. (Those commands can still be used when there are unscheduled
   key changes, however.)
   </p>
 <p>
   When new keys are added to a zone, the TTL is set to match that
   of any existing DNSKEY RRset. If there is no existing DNSKEY RRset,
   then the TTL will be set to the TTL specified when the key was
   created (using the <span><strong class="command">dnssec-keygen -L</strong></span> option), if
   any, or to the SOA TTL.
   </p>
 <p>
   If you wish the zone to be signed using NSEC3 instead of NSEC,
   submit an NSEC3PARAM record via dynamic update prior to the
   scheduled publication and activation of the keys.  If you wish the
   NSEC3 chain to have the OPTOUT bit set, set it in the flags field
   of the NSEC3PARAM record.  The NSEC3PARAM record will not appear in
   the zone immediately, but it will be stored for later reference.  When
   the zone is signed and the NSEC3 chain is completed, the NSEC3PARAM
   record will appear in the zone.
   </p>
 <p>Using the 
   <span><strong class="command">auto-dnssec</strong></span> option requires the zone to be
   configured to allow dynamic updates, by adding an 
   <span><strong class="command">allow-update</strong></span> or 
   <span><strong class="command">update-policy</strong></span> statement to the zone
   configuration. If this has not been done, the configuration will
   fail.</p>
 <div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title">
 <a name="id2563963"></a>Private-type records</h3></div></div></div></div>
 <p>The state of the signing process is signaled by
   private-type records (with a default type value of 65534). When
   signing is complete, these records will have a nonzero value for
   the final octet (for those records which have a nonzero initial
   octet).</p>
 <p>The private type record format: If the first octet is
   non-zero then the record indicates that the zone needs to be
   signed with the key matching the record, or that all signatures
   that match the record should be removed.</p>
 <p>
     </p>
 <div class="literallayout"><p><br>
 <br>
   algorithm (octet 1)<br>
   key id in network order (octet 2 and 3)<br>
   removal flag (octet 4)<br>
   complete flag (octet 5)<br>
 </p></div>
 <p>
   </p>
 <p>Only records flagged as "complete" can be removed via
   dynamic update. Attempts to remove other private type records
   will be silently ignored.</p>
 <p>If the first octet is zero (this is a reserved algorithm
   number that should never appear in a DNSKEY record) then the
   record indicates changes to the NSEC3 chains are in progress. The
   rest of the record contains an NSEC3PARAM record. The flag field
   tells what operation to perform based on the flag bits.</p>
 <p>
     </p>
 <div class="literallayout"><p><br>
 <br>
   0x01 OPTOUT<br>
   0x80 CREATE<br>
   0x40 REMOVE<br>
   0x20 NONSEC<br>
 </p></div>
 <p>
   </p>
 <div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title">
 <a name="id2564001"></a>DNSKEY rollovers</h3></div></div></div></div>
 <p>As with insecure-to-secure conversions, rolling DNSSEC
   keys can be done in two ways: using a dynamic DNS update, or the 
   <span><strong class="command">auto-dnssec</strong></span> zone option.</p>
 <div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title">
 <a name="id2564013"></a>Dynamic DNS update method</h3></div></div></div></div>
 <p> To perform key rollovers via dynamic update, you need to add
   the <code class="filename">K*</code> files for the new keys so that 
   <span><strong class="command">named</strong></span> can find them. You can then add the new
   DNSKEY RRs via dynamic update. 
   <span><strong class="command">named</strong></span> will then cause the zone to be signed
   with the new keys. When the signing is complete the private type
   records will be updated so that the last octet is non
   zero.</p>
 <p>If this is for a KSK you need to inform the parent and any
   trust anchor repositories of the new KSK.</p>
 <p>You should then wait for the maximum TTL in the zone before
   removing the old DNSKEY. If it is a KSK that is being updated,
   you also need to wait for the DS RRset in the parent to be
   updated and its TTL to expire. This ensures that all clients will
   be able to verify at least one signature when you remove the old
   DNSKEY.</p>
 <p>The old DNSKEY can be removed via UPDATE. Take care to
   specify the correct key. 
   <span><strong class="command">named</strong></span> will clean out any signatures generated
   by the old key after the update completes.</p>
 <div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title">
 <a name="id2569781"></a>Automatic key rollovers</h3></div></div></div></div>
 <p>When a new key reaches its activation date (as set by
   <span><strong class="command">dnssec-keygen</strong></span> or <span><strong class="command">dnssec-settime</strong></span>),
   if the <span><strong class="command">auto-dnssec</strong></span> zone option is set to 
   <code class="constant">maintain</code>, <span><strong class="command">named</strong></span> will
   automatically carry out the key rollover.  If the key's algorithm
   has not previously been used to sign the zone, then the zone will
   be fully signed as quickly as possible.  However, if the new key
   is replacing an existing key of the same algorithm, then the
   zone will be re-signed incrementally, with signatures from the
   old key being replaced with signatures from the new key as their
   signature validity periods expire.  By default, this rollover
   completes in 30 days, after which it will be safe to remove the
   old key from the DNSKEY RRset.</p>
 <div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title">
 <a name="id2569808"></a>NSEC3PARAM rollovers via UPDATE</h3></div></div></div></div>
 <p>Add the new NSEC3PARAM record via dynamic update. When the
   new NSEC3 chain has been generated, the NSEC3PARAM flag field
   will be zero. At this point you can remove the old NSEC3PARAM
   record. The old chain will be removed after the update request
   completes.</p>
 <div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title">
 <a name="id2569817"></a>Converting from NSEC to NSEC3</h3></div></div></div></div>
 <p>To do this, you just need to add an NSEC3PARAM record. When
   the conversion is complete, the NSEC chain will have been removed
   and the NSEC3PARAM record will have a zero flag field. The NSEC3
   chain will be generated before the NSEC chain is
   destroyed.</p>
 <div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title">
 <a name="id2569827"></a>Converting from NSEC3 to NSEC</h3></div></div></div></div>
 <p>To do this, use <span><strong class="command">nsupdate</strong></span> to
   remove all NSEC3PARAM records with a zero flag
   field. The NSEC chain will be generated before the NSEC3 chain is
   removed.</p>
 <div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title">
 <a name="id2608888"></a>Converting from secure to insecure</h3></div></div></div></div>
 <p>To convert a signed zone to unsigned using dynamic DNS,
   delete all the DNSKEY records from the zone apex using
   <span><strong class="command">nsupdate</strong></span>. All signatures, NSEC or NSEC3 chains,
   and associated NSEC3PARAM records will be removed automatically.
   This will take place after the update request completes.</p>
 <p> This requires the 
   <span><strong class="command">dnssec-secure-to-insecure</strong></span> option to be set to 
   <strong class="userinput"><code>yes</code></strong> in 
   <code class="filename">named.conf</code>.</p>
 <p>In addition, if the <span><strong class="command">auto-dnssec maintain</strong></span>
   zone statement is used, it should be removed or changed to
   <span><strong class="command">allow</strong></span> instead (or it will re-sign).
   </p>
 <div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title">
 <a name="id2608925"></a>Periodic re-signing</h3></div></div></div></div>
 <p>In any secure zone which supports dynamic updates, named
   will periodically re-sign RRsets which have not been re-signed as
   a result of some update action. The signature lifetimes will be
   adjusted so as to spread the re-sign load over time rather than
   all at once.</p>
 <div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title">
 <a name="id2608935"></a>NSEC3 and OPTOUT</h3></div></div></div></div>
 <p>
   <span><strong class="command">named</strong></span> only supports creating new NSEC3 chains
   where all the NSEC3 records in the zone have the same OPTOUT
   state. 
   <span><strong class="command">named</strong></span> supports UPDATES to zones where the NSEC3
   records in the chain have mixed OPTOUT state. 
   <span><strong class="command">named</strong></span> does not support changing the OPTOUT
   state of an individual NSEC3 record, the entire chain needs to be
   changed if the OPTOUT state of an individual NSEC3 needs to be
   changed.</p>
 </div>
 <div class="sect1" lang="en">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
 <a name="rfc5011.support"></a>Dynamic Trust Anchor Management</h2></div></div></div>
 <p>BIND 9.7.0 introduces support for RFC 5011, dynamic trust
   anchor management. Using this feature allows 
   <span><strong class="command">named</strong></span> to keep track of changes to critical
   DNSSEC keys without any need for the operator to make changes to
   configuration files.</p>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="id2569982"></a>Validating Resolver</h3></div></div></div>
 <p>To configure a validating resolver to use RFC 5011 to
     maintain a trust anchor, configure the trust anchor using a 
     <span><strong class="command">managed-keys</strong></span> statement. Information about
     this can be found in 
     <a href="Bv9ARM.ch06.html#managed-keys" title="managed-keys Statement Definition
             and Usage">the section called &#8220;<span><strong class="command">managed-keys</strong></span> Statement Definition
             and Usage&#8221;</a>.</p>
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="id2570005"></a>Authoritative Server</h3></div></div></div>
 <p>To set up an authoritative zone for RFC 5011 trust anchor
     maintenance, generate two (or more) key signing keys (KSKs) for
     the zone. Sign the zone with one of them; this is the "active"
     KSK. All KSK's which do not sign the zone are "stand-by"
     keys.</p>
 <p>Any validating resolver which is configured to use the
     active KSK as an RFC 5011-managed trust anchor will take note
     of the stand-by KSKs in the zone's DNSKEY RRset, and store them
     for future reference. The resolver will recheck the zone
     periodically, and after 30 days, if the new key is still there,
     then the key will be accepted by the resolver as a valid trust
     anchor for the zone. Any time after this 30-day acceptance
     timer has completed, the active KSK can be revoked, and the
     zone can be "rolled over" to the newly accepted key.</p>
 <p>The easiest way to place a stand-by key in a zone is to
     use the "smart signing" features of 
     <span><strong class="command">dnssec-keygen</strong></span> and 
     <span><strong class="command">dnssec-signzone</strong></span>. If a key with a publication
     date in the past, but an activation date which is unset or in
     the future, " 
     <span><strong class="command">dnssec-signzone -S</strong></span>" will include the DNSKEY
     record in the zone, but will not sign with it:</p>
 <pre class="screen">
 $ <strong class="userinput"><code>dnssec-keygen -K keys -f KSK -P now -A now+2y example.net</code></strong>
 $ <strong class="userinput"><code>dnssec-signzone -S -K keys example.net</code></strong>
 </pre>
 <p>To revoke a key, the new command 
     <span><strong class="command">dnssec-revoke</strong></span> has been added. This adds the
     REVOKED bit to the key flags and re-generates the 
     <code class="filename">K*.key</code> and 
     <code class="filename">K*.private</code> files.</p>
 <p>After revoking the active key, the zone must be signed
     with both the revoked KSK and the new active KSK. (Smart
     signing takes care of this automatically.)</p>
 <p>Once a key has been revoked and used to sign the DNSKEY
     RRset in which it appears, that key will never again be
     accepted as a valid trust anchor by the resolver. However,
     validation can proceed using the new active key (which had been
     accepted by the resolver when it was a stand-by key).</p>
 <p>See RFC 5011 for more details on key rollover
     scenarios.</p>
 <p>When a key has been revoked, its key ID changes,
     increasing by 128, and wrapping around at 65535. So, for
     example, the key "<code class="filename">Kexample.com.+005+10000</code>" becomes
     "<code class="filename">Kexample.com.+005+10128</code>".</p>
 <p>If two keys have ID's exactly 128 apart, and one is
     revoked, then the two key ID's will collide, causing several
     problems. To prevent this, 
     <span><strong class="command">dnssec-keygen</strong></span> will not generate a new key if
     another key is present which may collide. This checking will
     only occur if the new keys are written to the same directory
     which holds all other keys in use for that zone.</p>
 <p>Older versions of BIND 9 did not have this precaution.
     Exercise caution if using key revocation on keys that were
     generated by previous releases, or if using keys stored in
     multiple directories or on multiple machines.</p>
 <p>It is expected that a future release of BIND 9 will
     address this problem in a different way, by storing revoked
     keys with their original unrevoked key ID's.</p>
 </div>
 </div>
 <div class="sect1" lang="en">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
 <a name="pkcs11"></a>PKCS #11 (Cryptoki) support</h2></div></div></div>
 <p>PKCS #11 (Public Key Cryptography Standard #11) defines a
   platform- independent API for the control of hardware security
   modules (HSMs) and other cryptographic support devices.</p>
 <p>BIND 9 is known to work with two HSMs: The Sun SCA 6000
   cryptographic acceleration board, tested under Solaris x86, and
   the AEP Keyper network-attached key storage device, tested with
   Debian Linux, Solaris x86 and Windows Server 2003.</p>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="id2609020"></a>Prerequisites</h3></div></div></div>
 <p>See the HSM vendor documentation for information about
     installing, initializing, testing and troubleshooting the
     HSM.</p>
 <p>BIND 9 uses OpenSSL for cryptography, but stock OpenSSL
     does not yet fully support PKCS #11. However, a PKCS #11 engine
     for OpenSSL is available from the OpenSolaris project. It has
     been modified by ISC to work with with BIND 9, and to provide
     new features such as PIN management and key by
     reference.</p>
 <p>The patched OpenSSL depends on a "PKCS #11 provider".
     This is a shared library object, providing a low-level PKCS #11
     interface to the HSM hardware. It is dynamically loaded by
     OpenSSL at runtime. The PKCS #11 provider comes from the HSM
     vendor, and is specific to the HSM to be controlled.</p>
 <p>There are two "flavors" of PKCS #11 support provided by
     the patched OpenSSL, one of which must be chosen at
     configuration time. The correct choice depends on the HSM
     hardware:</p>
 <div class="itemizedlist"><ul type="disc">
 <li><p>Use 'crypto-accelerator' with HSMs that have hardware
         cryptographic acceleration features, such as the SCA 6000
         board. This causes OpenSSL to run all supported
         cryptographic operations in the HSM.</p></li>
 <li><p>Use 'sign-only' with HSMs that are designed to
         function primarily as secure key storage devices, but lack
         hardware acceleration. These devices are highly secure, but
         are not necessarily any faster at cryptography than the
         system CPU &#8212; often, they are slower. It is therefore
         most efficient to use them only for those cryptographic
         functions that require access to the secured private key,
         such as zone signing, and to use the system CPU for all
         other computationally-intensive operations. The AEP Keyper
         is an example of such a device.</p></li>
 </ul></div>
 <p>
       The modified OpenSSL code is included in the BIND 9 release,
       in the form of a context diff against the latest versions of
       OpenSSL.  OpenSSL 0.9.8, 1.0.0, and 1.0.1 are supported; there are
       separate diffs for each version.  In the examples to follow,
       we use OpenSSL 0.9.8, but the same methods work with OpenSSL
       1.0.0 and 1.0.1.
     </p>
 <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
 <h3 class="title">Note</h3>
       The latest OpenSSL versions at the time of the BIND release
       are 0.9.8y, 1.0.0k and 1.0.1e.
       ISC will provide an updated patch as new versions of OpenSSL
       are released. The version number in the following examples
       is expected to change.</div>
 <p>
     Before building BIND 9 with PKCS #11 support, it will be
     necessary to build OpenSSL with this patch in place and inform
     it of the path to the HSM-specific PKCS #11 provider
     library.</p>
 <p>Obtain OpenSSL 0.9.8s:</p>
 <pre class="screen">
 $ <strong class="userinput"><code>wget <a href="" target="_top">http://www.openssl.org/source/openssl-0.9.8s.tar.gz</a></code></strong>
 </pre>
 <p>Extract the tarball:</p>
 <pre class="screen">
 $ <strong class="userinput"><code>tar zxf openssl-0.9.8s.tar.gz</code></strong>
 </pre>
 <p>Apply the patch from the BIND 9 release:</p>
 <pre class="screen">
 $ <strong class="userinput"><code>patch -p1 -d openssl-0.9.8s \
             &lt; bind9/bin/pkcs11/openssl-0.9.8s-patch</code></strong>
 </pre>
 <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
 <h3 class="title">Note</h3>(Note that the patch file may not be compatible with the
     "patch" utility on all operating systems. You may need to
     install GNU patch.)</div>
 <p>When building OpenSSL, place it in a non-standard
     location so that it does not interfere with OpenSSL libraries
     elsewhere on the system. In the following examples, we choose
     to install into "/opt/pkcs11/usr". We will use this location
     when we configure BIND 9.</p>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="id2609731"></a>Building OpenSSL for the AEP Keyper on Linux</h4></div></div></div>
 <p>The AEP Keyper is a highly secure key storage device,
       but does not provide hardware cryptographic acceleration. It
       can carry out cryptographic operations, but it is probably
       slower than your system's CPU. Therefore, we choose the
       'sign-only' flavor when building OpenSSL.</p>
 <p>The Keyper-specific PKCS #11 provider library is
       delivered with the Keyper software. In this example, we place
       it /opt/pkcs11/usr/lib:</p>
 <pre class="screen">
 $ <strong class="userinput"><code>cp pkcs11.GCC4.0.2.so.4.05 /opt/pkcs11/usr/lib/libpkcs11.so</code></strong>
 </pre>
 <p>This library is only available for Linux as a 32-bit
       binary. If we are compiling on a 64-bit Linux system, it is
       necessary to force a 32-bit build, by specifying -m32 in the
       build options.</p>
 <p>Finally, the Keyper library requires threads, so we
       must specify -pthread.</p>
 <pre class="screen">
 $ <strong class="userinput"><code>cd openssl-0.9.8s</code></strong>
 $ <strong class="userinput"><code>./Configure linux-generic32 -m32 -pthread \
             --pk11-libname=/opt/pkcs11/usr/lib/libpkcs11.so \
             --pk11-flavor=sign-only \
             --prefix=/opt/pkcs11/usr</code></strong>
 </pre>
 <p>After configuring, run "<span><strong class="command">make</strong></span>"
       and "<span><strong class="command">make test</strong></span>". If "<span><strong class="command">make
       test</strong></span>" fails with "pthread_atfork() not found", you forgot to
       add the -pthread above.</p>
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="id2609868"></a>Building OpenSSL for the SCA 6000 on Solaris</h4></div></div></div>
 <p>The SCA-6000 PKCS #11 provider is installed as a system
       library, libpkcs11. It is a true crypto accelerator, up to 4
       times faster than any CPU, so the flavor shall be
       'crypto-accelerator'.</p>
 <p>In this example, we are building on Solaris x86 on an
       AMD64 system.</p>
 <pre class="screen">
 $ <strong class="userinput"><code>cd openssl-0.9.8s</code></strong>
 $ <strong class="userinput"><code>./Configure solaris64-x86_64-cc \
             --pk11-libname=/usr/lib/64/libpkcs11.so \
             --pk11-flavor=crypto-accelerator \
             --prefix=/opt/pkcs11/usr</code></strong>
 </pre>
 <p>(For a 32-bit build, use "solaris-x86-cc" and
       /usr/lib/libpkcs11.so.)</p>
 <p>After configuring, run 
       <span><strong class="command">make</strong></span> and 
       <span><strong class="command">make test</strong></span>.</p>
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="id2609986"></a>Building OpenSSL for SoftHSM</h4></div></div></div>
 <p>SoftHSM is a software library provided by the OpenDNSSEC
       project (http://www.opendnssec.org) which provides a PKCS#11
       interface to a virtual HSM, implemented in the form of encrypted
       data on the local filesystem.  It uses the Botan library for
       encryption and SQLite3 for data storage.  Though less secure
       than a true HSM, it can provide more secure key storage than
       traditional key files, and can allow you to experiment with
       PKCS#11 when an HSM is not available.</p>
 <p>The SoftHSM cryptographic store must be installed and
       initialized before using it with OpenSSL, and the SOFTHSM_CONF
       environment variable must always point to the SoftHSM configuration
       file:</p>
 <pre class="screen">
 $ <strong class="userinput"><code> cd softhsm-1.3.0 </code></strong>
 $ <strong class="userinput"><code> configure --prefix=/opt/pkcs11/usr </code></strong>
 $ <strong class="userinput"><code> make </code></strong>
 $ <strong class="userinput"><code> make install </code></strong>
 $ <strong class="userinput"><code> export SOFTHSM_CONF=/opt/pkcs11/softhsm.conf </code></strong>
 $ <strong class="userinput"><code> echo "0:/opt/pkcs11/softhsm.db" &gt; $SOFTHSM_CONF </code></strong>
 $ <strong class="userinput"><code> /opt/pkcs11/usr/bin/softhsm --init-token 0 --slot 0 --label softhsm </code></strong>
 </pre>
 <p>SoftHSM can perform all cryptographic operations, but
       since it only uses your system CPU, there is no need to use it
       for anything but signing.  Therefore, we choose the 'sign-only'
       flavor when building OpenSSL.</p>
 <pre class="screen">
 $ <strong class="userinput"><code>cd openssl-0.9.8s</code></strong>
 $ <strong class="userinput"><code>./Configure linux-x86_64 -pthread \
             --pk11-libname=/opt/pkcs11/usr/lib/libpkcs11.so \
             --pk11-flavor=sign-only \
             --prefix=/opt/pkcs11/usr</code></strong>
 </pre>
 <p>After configuring, run "<span><strong class="command">make</strong></span>"
       and "<span><strong class="command">make test</strong></span>".</p>
 </div>
 <p>Once you have built OpenSSL, run
     "<span><strong class="command">apps/openssl engine pkcs11</strong></span>" to confirm
     that PKCS #11 support was compiled in correctly. The output
     should be one of the following lines, depending on the flavor
     selected:</p>
 <pre class="screen">
         (pkcs11) PKCS #11 engine support (sign only)
 </pre>
 <p>Or:</p>
 <pre class="screen">
         (pkcs11) PKCS #11 engine support (crypto accelerator)
 </pre>
 <p>Next, run
     "<span><strong class="command">apps/openssl engine pkcs11 -t</strong></span>". This will
     attempt to initialize the PKCS #11 engine. If it is able to
     do so successfully, it will report
     &#8220;<span class="quote"><code class="literal">[ available ]</code></span>&#8221;.</p>
 <p>If the output is correct, run
     "<span><strong class="command">make install</strong></span>" which will install the
     modified OpenSSL suite to 
     <code class="filename">/opt/pkcs11/usr</code>.</p>
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="id2610137"></a>Building BIND 9 with PKCS#11</h3></div></div></div>
 <p>When building BIND 9, the location of the custom-built
     OpenSSL library must be specified via configure.</p>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="id2610146"></a>Configuring BIND 9 for Linux with the AEP Keyper</h4></div></div></div>
 <p>To link with the PKCS #11 provider, threads must be
       enabled in the BIND 9 build.</p>
 <p>The PKCS #11 library for the AEP Keyper is currently
       only available as a 32-bit binary. If we are building on a
       64-bit host, we must force a 32-bit build by adding "-m32" to
       the CC options on the "configure" command line.</p>
 <pre class="screen">
 $ <strong class="userinput"><code>cd ../bind9</code></strong>
 $ <strong class="userinput"><code>./configure CC="gcc -m32" --enable-threads \
            --with-openssl=/opt/pkcs11/usr \
            --with-pkcs11=/opt/pkcs11/usr/lib/libpkcs11.so</code></strong>
 </pre>
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="id2610178"></a>Configuring BIND 9 for Solaris with the SCA 6000</h4></div></div></div>
 <p>To link with the PKCS #11 provider, threads must be
       enabled in the BIND 9 build.</p>
 <pre class="screen">
 $ <strong class="userinput"><code>cd ../bind9</code></strong>
 $ <strong class="userinput"><code>./configure CC="cc -xarch=amd64" --enable-threads \
             --with-openssl=/opt/pkcs11/usr \
             --with-pkcs11=/usr/lib/64/libpkcs11.so</code></strong>
 </pre>
 <p>(For a 32-bit build, omit CC="cc -xarch=amd64".)</p>
 <p>If configure complains about OpenSSL not working, you
       may have a 32/64-bit architecture mismatch. Or, you may have
       incorrectly specified the path to OpenSSL (it should be the
       same as the --prefix argument to the OpenSSL
       Configure).</p>
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="id2610214"></a>Configuring BIND 9 for SoftHSM</h4></div></div></div>
 <pre class="screen">
 $ <strong class="userinput"><code>cd ../bind9</code></strong>
 $ <strong class="userinput"><code>./configure --enable-threads \
            --with-openssl=/opt/pkcs11/usr \
            --with-pkcs11=/opt/pkcs11/usr/lib/libpkcs11.so</code></strong>
 </pre>
 </div>
 <p>After configuring, run
     "<span><strong class="command">make</strong></span>",
     "<span><strong class="command">make test</strong></span>" and
     "<span><strong class="command">make install</strong></span>".</p>
 <p>(Note: If "make test" fails in the "pkcs11" system test, you may
     have forgotten to set the SOFTHSM_CONF environment variable.)</p>
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="id2612651"></a>PKCS #11 Tools</h3></div></div></div>
 <p>BIND 9 includes a minimal set of tools to operate the
     HSM, including 
     <span><strong class="command">pkcs11-keygen</strong></span> to generate a new key pair
     within the HSM, 
     <span><strong class="command">pkcs11-list</strong></span> to list objects currently
     available, and 
     <span><strong class="command">pkcs11-destroy</strong></span> to remove objects.</p>
 <p>In UNIX/Linux builds, these tools are built only if BIND
     9 is configured with the --with-pkcs11 option. (NOTE: If
     --with-pkcs11 is set to "yes", rather than to the path of the
     PKCS #11 provider, then the tools will be built but the
     provider will be left undefined. Use the -m option or the
     PKCS11_PROVIDER environment variable to specify the path to the
     provider.)</p>
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="id2612682"></a>Using the HSM</h3></div></div></div>
 <p>First, we must set up the runtime environment so the
     OpenSSL and PKCS #11 libraries can be loaded:</p>
 <pre class="screen">
 $ <strong class="userinput"><code>export LD_LIBRARY_PATH=/opt/pkcs11/usr/lib:${LD_LIBRARY_PATH}</code></strong>
 </pre>
 <p>When operating an AEP Keyper, it is also necessary to
     specify the location of the "machine" file, which stores
     information about the Keyper for use by PKCS #11 provider
     library. If the machine file is in 
     <code class="filename">/opt/Keyper/PKCS11Provider/machine</code>,
     use:</p>
 <pre class="screen">
 $ <strong class="userinput"><code>export KEYPER_LIBRARY_PATH=/opt/Keyper/PKCS11Provider</code></strong>
 </pre>
 <p>These environment variables must be set whenever running
     any tool that uses the HSM, including 
     <span><strong class="command">pkcs11-keygen</strong></span>, 
     <span><strong class="command">pkcs11-list</strong></span>, 
     <span><strong class="command">pkcs11-destroy</strong></span>, 
     <span><strong class="command">dnssec-keyfromlabel</strong></span>, 
     <span><strong class="command">dnssec-signzone</strong></span>, 
     <span><strong class="command">dnssec-keygen</strong></span>(which will use the HSM for
     random number generation), and 
     <span><strong class="command">named</strong></span>.</p>
 <p>We can now create and use keys in the HSM. In this case,
     we will create a 2048 bit key and give it the label
     "sample-ksk":</p>
 <pre class="screen">
 $ <strong class="userinput"><code>pkcs11-keygen -b 2048 -l sample-ksk</code></strong>
 </pre>
 <p>To confirm that the key exists:</p>
 <pre class="screen">
 $ <strong class="userinput"><code>pkcs11-list</code></strong>
 Enter PIN:
 object[0]: handle 2147483658 class 3 label[8] 'sample-ksk' id[0]
 object[1]: handle 2147483657 class 2 label[8] 'sample-ksk' id[0]
 </pre>
 <p>Before using this key to sign a zone, we must create a
     pair of BIND 9 key files. The "dnssec-keyfromlabel" utility
     does this. In this case, we will be using the HSM key
     "sample-ksk" as the key-signing key for "example.net":</p>
 <pre class="screen">
 $ <strong class="userinput"><code>dnssec-keyfromlabel -l sample-ksk -f KSK example.net</code></strong>
 </pre>
 <p>The resulting K*.key and K*.private files can now be used
     to sign the zone. Unlike normal K* files, which contain both
     public and private key data, these files will contain only the
     public key data, plus an identifier for the private key which
     remains stored within the HSM. The HSM handles signing with the
     private key.</p>
 <p>If you wish to generate a second key in the HSM for use
     as a zone-signing key, follow the same procedure above, using a
     different keylabel, a smaller key size, and omitting "-f KSK"
     from the dnssec-keyfromlabel arguments:</p>
 <pre class="screen">
 $ <strong class="userinput"><code>pkcs11-keygen -b 1024 -l sample-zsk</code></strong>
 $ <strong class="userinput"><code>dnssec-keyfromlabel -l sample-zsk example.net</code></strong>
 </pre>
 <p>Alternatively, you may prefer to generate a conventional
     on-disk key, using dnssec-keygen:</p>
 <pre class="screen">
 $ <strong class="userinput"><code>dnssec-keygen example.net</code></strong>
 </pre>
 <p>This provides less security than an HSM key, but since
     HSMs can be slow or cumbersome to use for security reasons, it
     may be more efficient to reserve HSM keys for use in the less
     frequent key-signing operation. The zone-signing key can be
     rolled more frequently, if you wish, to compensate for a
     reduction in key security.</p>
 <p>Now you can sign the zone. (Note: If not using the -S
     option to 
     <span><strong class="command">dnssec-signzone</strong></span>, it will be necessary to add
     the contents of both 
     <code class="filename">K*.key</code> files to the zone master file before
     signing it.)</p>
 <pre class="screen">
 $ <strong class="userinput"><code>dnssec-signzone -S example.net</code></strong>
 Enter PIN:
 Verifying the zone using the following algorithms:
 NSEC3RSASHA1.
 Zone signing complete:
 Algorithm: NSEC3RSASHA1: ZSKs: 1, KSKs: 1 active, 0 revoked, 0 stand-by
 example.net.signed
 </pre>
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="id2636637"></a>Specifying the engine on the command line</h3></div></div></div>
 <p>The OpenSSL engine can be specified in 
     <span><strong class="command">named</strong></span> and all of the BIND 
     <span><strong class="command">dnssec-*</strong></span> tools by using the "-E
     &lt;engine&gt;" command line option. If BIND 9 is built with
     the --with-pkcs11 option, this option defaults to "pkcs11".
     Specifying the engine will generally not be necessary unless
     for some reason you wish to use a different OpenSSL
     engine.</p>
 <p>If you wish to disable use of the "pkcs11" engine &#8212;
     for troubleshooting purposes, or because the HSM is unavailable
     &#8212; set the engine to the empty string. For example:</p>
 <pre class="screen">
 $ <strong class="userinput"><code>dnssec-signzone -E '' -S example.net</code></strong>
 </pre>
 <p>This causes 
     <span><strong class="command">dnssec-signzone</strong></span> to run as if it were compiled
     without the --with-pkcs11 option.</p>
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="id2636683"></a>Running named with automatic zone re-signing</h3></div></div></div>
 <p>If you want 
     <span><strong class="command">named</strong></span> to dynamically re-sign zones using HSM
     keys, and/or to to sign new records inserted via nsupdate, then
     named must have access to the HSM PIN. This can be accomplished
     by placing the PIN into the openssl.cnf file (in the above
     examples, 
     <code class="filename">/opt/pkcs11/usr/ssl/openssl.cnf</code>).</p>
 <p>The location of the openssl.cnf file can be overridden by
     setting the OPENSSL_CONF environment variable before running
     named.</p>
 <p>Sample openssl.cnf:</p>
 <pre class="programlisting">
         openssl_conf = openssl_def
         [ openssl_def ]
         engines = engine_section
         [ engine_section ]
         pkcs11 = pkcs11_section
         [ pkcs11_section ]
         PIN = <em class="replaceable"><code>&lt;PLACE PIN HERE&gt;</code></em>
 </pre>
 <p>This will also allow the dnssec-* tools to access the HSM
     without PIN entry. (The pkcs11-* tools access the HSM directly,
     not via OpenSSL, so a PIN will still be required to use
     them.)</p>
 <div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;">
 <h3 class="title">Warning</h3>
 <p>Placing the HSM's PIN in a text file in
       this manner may reduce the security advantage of using an
       HSM. Be sure this is what you want to do before configuring
       OpenSSL in this way.</p>
 </div>
 </div>
 </div>
 <div class="sect1" lang="en">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
 <a name="id2571639"></a>IPv6 Support in <acronym class="acronym">BIND</acronym> 9</h2></div></div></div>
 <p>
         <acronym class="acronym">BIND</acronym> 9 fully supports all currently
         defined forms of IPv6 name to address and address to name
         lookups.  It will also use IPv6 addresses to make queries when
         running on an IPv6 capable system.
       </p>
 <p>
         For forward lookups, <acronym class="acronym">BIND</acronym> 9 supports
         only AAAA records.  RFC 3363 deprecated the use of A6 records,
         and client-side support for A6 records was accordingly removed
         from <acronym class="acronym">BIND</acronym> 9.
         However, authoritative <acronym class="acronym">BIND</acronym> 9 name servers still
         load zone files containing A6 records correctly, answer queries
         for A6 records, and accept zone transfer for a zone containing A6
         records.
       </p>
 <p>
         For IPv6 reverse lookups, <acronym class="acronym">BIND</acronym> 9 supports
         the traditional "nibble" format used in the
         <span class="emphasis"><em>ip6.arpa</em></span> domain, as well as the older, deprecated
         <span class="emphasis"><em>ip6.int</em></span> domain.
         Older versions of <acronym class="acronym">BIND</acronym> 9 
         supported the "binary label" (also known as "bitstring") format,
         but support of binary labels has been completely removed per
         RFC 3363.
         Many applications in <acronym class="acronym">BIND</acronym> 9 do not understand
         the binary label format at all any more, and will return an
         error if given.
         In particular, an authoritative <acronym class="acronym">BIND</acronym> 9
         name server will not load a zone file containing binary labels.
       </p>
 <p>
         For an overview of the format and structure of IPv6 addresses,
         see <a href="Bv9ARM.ch11.html#ipv6addresses" title="IPv6 addresses (AAAA)">the section called &#8220;IPv6 addresses (AAAA)&#8221;</a>.
       </p>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="id2571906"></a>Address Lookups Using AAAA Records</h3></div></div></div>
 <p>
           The IPv6 AAAA record is a parallel to the IPv4 A record,
           and, unlike the deprecated A6 record, specifies the entire
           IPv6 address in a single record.  For example,
         </p>
 <pre class="programlisting">
 $ORIGIN example.com.
 host            3600    IN      AAAA    2001:db8::1
 </pre>
 <p>
           Use of IPv4-in-IPv6 mapped addresses is not recommended.
           If a host has an IPv4 address, use an A record, not
           a AAAA, with <code class="literal">::ffff:192.168.42.1</code> as
           the address.
         </p>
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="id2571927"></a>Address to Name Lookups Using Nibble Format</h3></div></div></div>
 <p>
           When looking up an address in nibble format, the address
           components are simply reversed, just as in IPv4, and
           <code class="literal">ip6.arpa.</code> is appended to the
           resulting name.
           For example, the following would provide reverse name lookup for
           a host with address
           <code class="literal">2001:db8::1</code>.
         </p>
 <pre class="programlisting">
 $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0  14400   IN    PTR    (
                                     host.example.com. )
 </pre>
 </div>
 </div>
 </div>
 <div class="navfooter">
 <hr>
 <table width="100%" summary="Navigation footer">
 <tr>
 <td width="40%" align="left">
 <a accesskey="p" href="Bv9ARM.ch03.html">Prev</a> </td>
 <td width="20%" align="center"> </td>
 <td width="40%" align="right"> <a accesskey="n" href="Bv9ARM.ch05.html">Next</a>
 </td>
 </tr>
 <tr>
 <td width="40%" align="left" valign="top">Chapter 3. Name Server Configuration </td>
 <td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
 <td width="40%" align="right" valign="top"> Chapter 5. The <acronym class="acronym">BIND</acronym> 9 Lightweight Resolver</td>
 </tr>
 </table>
 </div>
-<p style="text-align: center;">BIND 9.9.7 (Extended Support Version)</p>
+<p style="text-align: center;">BIND 9.9.7-P2 (Extended Support Version)</p>
 </body>
 </html>
Index: stable/9/contrib/bind9/doc/arm/Bv9ARM.ch05.html
===================================================================
--- stable/9/contrib/bind9/doc/arm/Bv9ARM.ch05.html	(revision 286123)
+++ stable/9/contrib/bind9/doc/arm/Bv9ARM.ch05.html	(revision 286124)
@@ -1,144 +1,144 @@
 <!--
  - Copyright (C) 2004-2015 Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000-2003 Internet Software Consortium.
  - 
  - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
  - copyright notice and this permission notice appear in all copies.
  - 
  - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
  - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
  - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
  - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
  - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 <!-- $Id$ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>Chapter 5. The BIND 9 Lightweight Resolver</title>
 <meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
 <link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
 <link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
 <link rel="prev" href="Bv9ARM.ch04.html" title="Chapter 4. Advanced DNS Features">
 <link rel="next" href="Bv9ARM.ch06.html" title="Chapter 6. BIND 9 Configuration Reference">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
 <div class="navheader">
 <table width="100%" summary="Navigation header">
 <tr><th colspan="3" align="center">Chapter 5. The <acronym class="acronym">BIND</acronym> 9 Lightweight Resolver</th></tr>
 <tr>
 <td width="20%" align="left">
 <a accesskey="p" href="Bv9ARM.ch04.html">Prev</a> </td>
 <th width="60%" align="center"> </th>
 <td width="20%" align="right"> <a accesskey="n" href="Bv9ARM.ch06.html">Next</a>
 </td>
 </tr>
 </table>
 <hr>
 </div>
 <div class="chapter" lang="en">
 <div class="titlepage"><div><div><h2 class="title">
 <a name="Bv9ARM.ch05"></a>Chapter 5. The <acronym class="acronym">BIND</acronym> 9 Lightweight Resolver</h2></div></div></div>
 <div class="toc">
 <p><b>Table of Contents</b></p>
 <dl>
 <dt><span class="sect1"><a href="Bv9ARM.ch05.html#id2571960">The Lightweight Resolver Library</a></span></dt>
 <dt><span class="sect1"><a href="Bv9ARM.ch05.html#lwresd">Running a Resolver Daemon</a></span></dt>
 </dl>
 </div>
 <div class="sect1" lang="en">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
 <a name="id2571960"></a>The Lightweight Resolver Library</h2></div></div></div>
 <p>
         Traditionally applications have been linked with a stub resolver
         library that sends recursive DNS queries to a local caching name
         server.
       </p>
 <p>
         IPv6 once introduced new complexity into the resolution process,
         such as following A6 chains and DNAME records, and simultaneous
         lookup of IPv4 and IPv6 addresses.  Though most of the complexity was
         then removed, these are hard or impossible
         to implement in a traditional stub resolver.
       </p>
 <p>
         <acronym class="acronym">BIND</acronym> 9 therefore can also provide resolution
         services to local clients
         using a combination of a lightweight resolver library and a resolver
         daemon process running on the local host.  These communicate using
         a simple UDP-based protocol, the "lightweight resolver protocol"
         that is distinct from and simpler than the full DNS protocol.
       </p>
 </div>
 <div class="sect1" lang="en">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
 <a name="lwresd"></a>Running a Resolver Daemon</h2></div></div></div>
 <p>
         To use the lightweight resolver interface, the system must
         run the resolver daemon <span><strong class="command">lwresd</strong></span> or a
         local
         name server configured with a <span><strong class="command">lwres</strong></span>
         statement.
       </p>
 <p>
         By default, applications using the lightweight resolver library will
         make
         UDP requests to the IPv4 loopback address (127.0.0.1) on port 921.
         The
         address can be overridden by <span><strong class="command">lwserver</strong></span>
         lines in
         <code class="filename">/etc/resolv.conf</code>.
       </p>
 <p>
         The daemon currently only looks in the DNS, but in the future
         it may use other sources such as <code class="filename">/etc/hosts</code>,
         NIS, etc.
       </p>
 <p>
         The <span><strong class="command">lwresd</strong></span> daemon is essentially a
         caching-only name server that responds to requests using the
         lightweight
         resolver protocol rather than the DNS protocol.  Because it needs
         to run on each host, it is designed to require no or minimal
         configuration.
         Unless configured otherwise, it uses the name servers listed on
         <span><strong class="command">nameserver</strong></span> lines in <code class="filename">/etc/resolv.conf</code>
         as forwarders, but is also capable of doing the resolution
         autonomously if
         none are specified.
       </p>
 <p>
         The <span><strong class="command">lwresd</strong></span> daemon may also be
         configured with a
         <code class="filename">named.conf</code> style configuration file,
         in
         <code class="filename">/etc/lwresd.conf</code> by default.  A name
         server may also
         be configured to act as a lightweight resolver daemon using the
         <span><strong class="command">lwres</strong></span> statement in <code class="filename">named.conf</code>.
       </p>
 </div>
 </div>
 <div class="navfooter">
 <hr>
 <table width="100%" summary="Navigation footer">
 <tr>
 <td width="40%" align="left">
 <a accesskey="p" href="Bv9ARM.ch04.html">Prev</a> </td>
 <td width="20%" align="center"> </td>
 <td width="40%" align="right"> <a accesskey="n" href="Bv9ARM.ch06.html">Next</a>
 </td>
 </tr>
 <tr>
 <td width="40%" align="left" valign="top">Chapter 4. Advanced DNS Features </td>
 <td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
 <td width="40%" align="right" valign="top"> Chapter 6. <acronym class="acronym">BIND</acronym> 9 Configuration Reference</td>
 </tr>
 </table>
 </div>
-<p style="text-align: center;">BIND 9.9.7 (Extended Support Version)</p>
+<p style="text-align: center;">BIND 9.9.7-P2 (Extended Support Version)</p>
 </body>
 </html>
Index: stable/9/contrib/bind9/doc/arm/Bv9ARM.ch06.html
===================================================================
--- stable/9/contrib/bind9/doc/arm/Bv9ARM.ch06.html	(revision 286123)
+++ stable/9/contrib/bind9/doc/arm/Bv9ARM.ch06.html	(revision 286124)
@@ -1,11647 +1,11647 @@
 <!--
  - Copyright (C) 2004-2015 Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000-2003 Internet Software Consortium.
  - 
  - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
  - copyright notice and this permission notice appear in all copies.
  - 
  - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
  - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
  - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
  - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
  - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 <!-- $Id$ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>Chapter 6. BIND 9 Configuration Reference</title>
 <meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
 <link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
 <link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
 <link rel="prev" href="Bv9ARM.ch05.html" title="Chapter 5. The BIND 9 Lightweight Resolver">
 <link rel="next" href="Bv9ARM.ch07.html" title="Chapter 7. BIND 9 Security Considerations">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
 <div class="navheader">
 <table width="100%" summary="Navigation header">
 <tr><th colspan="3" align="center">Chapter 6. <acronym class="acronym">BIND</acronym> 9 Configuration Reference</th></tr>
 <tr>
 <td width="20%" align="left">
 <a accesskey="p" href="Bv9ARM.ch05.html">Prev</a> </td>
 <th width="60%" align="center"> </th>
 <td width="20%" align="right"> <a accesskey="n" href="Bv9ARM.ch07.html">Next</a>
 </td>
 </tr>
 </table>
 <hr>
 </div>
 <div class="chapter" lang="en">
 <div class="titlepage"><div><div><h2 class="title">
 <a name="Bv9ARM.ch06"></a>Chapter 6. <acronym class="acronym">BIND</acronym> 9 Configuration Reference</h2></div></div></div>
 <div class="toc">
 <p><b>Table of Contents</b></p>
 <dl>
 <dt><span class="sect1"><a href="Bv9ARM.ch06.html#configuration_file_elements">Configuration File Elements</a></span></dt>
 <dd><dl>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#address_match_lists">Address Match Lists</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2573374">Comment Syntax</a></span></dt>
 </dl></dd>
 <dt><span class="sect1"><a href="Bv9ARM.ch06.html#Configuration_File_Grammar">Configuration File Grammar</a></span></dt>
 <dd><dl>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574035"><span><strong class="command">acl</strong></span> Statement Grammar</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#acl"><span><strong class="command">acl</strong></span> Statement Definition and
           Usage</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574225"><span><strong class="command">controls</strong></span> Statement Grammar</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#controls_statement_definition_and_usage"><span><strong class="command">controls</strong></span> Statement Definition and
           Usage</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574584"><span><strong class="command">include</strong></span> Statement Grammar</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574601"><span><strong class="command">include</strong></span> Statement Definition and
           Usage</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574761"><span><strong class="command">key</strong></span> Statement Grammar</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574785"><span><strong class="command">key</strong></span> Statement Definition and Usage</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574875"><span><strong class="command">logging</strong></span> Statement Grammar</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575001"><span><strong class="command">logging</strong></span> Statement Definition and
           Usage</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577168"><span><strong class="command">lwres</strong></span> Statement Grammar</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577241"><span><strong class="command">lwres</strong></span> Statement Definition and Usage</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577305"><span><strong class="command">masters</strong></span> Statement Grammar</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577417"><span><strong class="command">masters</strong></span> Statement Definition and
           Usage</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577438"><span><strong class="command">options</strong></span> Statement Grammar</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#options"><span><strong class="command">options</strong></span> Statement Definition and
           Usage</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#server_statement_grammar"><span><strong class="command">server</strong></span> Statement Grammar</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#server_statement_definition_and_usage"><span><strong class="command">server</strong></span> Statement Definition and
             Usage</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#statschannels"><span><strong class="command">statistics-channels</strong></span> Statement Grammar</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2590489"><span><strong class="command">statistics-channels</strong></span> Statement Definition and
             Usage</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#trusted-keys"><span><strong class="command">trusted-keys</strong></span> Statement Grammar</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2590796"><span><strong class="command">trusted-keys</strong></span> Statement Definition
             and Usage</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2590843"><span><strong class="command">managed-keys</strong></span> Statement Grammar</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#managed-keys"><span><strong class="command">managed-keys</strong></span> Statement Definition
             and Usage</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#view_statement_grammar"><span><strong class="command">view</strong></span> Statement Grammar</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2591278"><span><strong class="command">view</strong></span> Statement Definition and Usage</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#zone_statement_grammar"><span><strong class="command">zone</strong></span>
             Statement Grammar</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2592987"><span><strong class="command">zone</strong></span> Statement Definition and Usage</a></span></dt>
 </dl></dd>
 <dt><span class="sect1"><a href="Bv9ARM.ch06.html#id2596605">Zone File</a></span></dt>
 <dd><dl>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#types_of_resource_records_and_when_to_use_them">Types of Resource Records and When to Use Them</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2598768">Discussion of MX Records</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#Setting_TTLs">Setting TTLs</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2599451">Inverse Mapping in IPv4</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2599578">Other Zone File Directives</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2599851"><acronym class="acronym">BIND</acronym> Master File Extension: the  <span><strong class="command">$GENERATE</strong></span> Directive</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#zonefile_format">Additional File Formats</a></span></dt>
 </dl></dd>
 <dt><span class="sect1"><a href="Bv9ARM.ch06.html#statistics">BIND9 Statistics</a></span></dt>
 <dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch06.html#statistics_counters">Statistics Counters</a></span></dt></dl></dd>
 </dl>
 </div>
 <p>
       <acronym class="acronym">BIND</acronym> 9 configuration is broadly similar
       to <acronym class="acronym">BIND</acronym> 8; however, there are a few new
       areas
       of configuration, such as views. <acronym class="acronym">BIND</acronym>
       8 configuration files should work with few alterations in <acronym class="acronym">BIND</acronym>
       9, although more complex configurations should be reviewed to check
       if they can be more efficiently implemented using the new features
       found in <acronym class="acronym">BIND</acronym> 9.
     </p>
 <p>
       <acronym class="acronym">BIND</acronym> 4 configuration files can be
       converted to the new format
       using the shell script
       <code class="filename">contrib/named-bootconf/named-bootconf.sh</code>.
     </p>
 <div class="sect1" lang="en">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
 <a name="configuration_file_elements"></a>Configuration File Elements</h2></div></div></div>
 <p>
         Following is a list of elements used throughout the <acronym class="acronym">BIND</acronym> configuration
         file documentation:
       </p>
 <div class="informaltable"><table border="1">
 <colgroup>
 <col>
 <col>
 </colgroup>
 <tbody>
 <tr>
 <td>
                 <p>
                   <code class="varname">acl_name</code>
                 </p>
               </td>
 <td>
                 <p>
                   The name of an <code class="varname">address_match_list</code> as
                   defined by the <span><strong class="command">acl</strong></span> statement.
                 </p>
               </td>
 </tr>
 <tr>
 <td>
                 <p>
                   <code class="varname">address_match_list</code>
                 </p>
               </td>
 <td>
                 <p>
                   A list of one or more
                   <code class="varname">ip_addr</code>,
                   <code class="varname">ip_prefix</code>, <code class="varname">key_id</code>,
                   or <code class="varname">acl_name</code> elements, see
                   <a href="Bv9ARM.ch06.html#address_match_lists" title="Address Match Lists">the section called &#8220;Address Match Lists&#8221;</a>.
                 </p>
               </td>
 </tr>
 <tr>
 <td>
                 <p>
                   <code class="varname">masters_list</code>
                 </p>
               </td>
 <td>
                 <p>
                   A named list of one or more <code class="varname">ip_addr</code>
                   with optional <code class="varname">key_id</code> and/or
                   <code class="varname">ip_port</code>.
                   A <code class="varname">masters_list</code> may include other
                   <code class="varname">masters_lists</code>.
                 </p>
               </td>
 </tr>
 <tr>
 <td>
                 <p>
                   <code class="varname">domain_name</code>
                 </p>
               </td>
 <td>
                 <p>
                   A quoted string which will be used as
                   a DNS name, for example "<code class="literal">my.test.domain</code>".
                 </p>
               </td>
 </tr>
 <tr>
 <td>
                 <p>
                   <code class="varname">namelist</code>
                 </p>
               </td>
 <td>
                 <p>
                   A list of one or more <code class="varname">domain_name</code>
                   elements.
                 </p>
               </td>
 </tr>
 <tr>
 <td>
                 <p>
                   <code class="varname">dotted_decimal</code>
                 </p>
               </td>
 <td>
                 <p>
                   One to four integers valued 0 through
                   255 separated by dots (`.'), such as <span><strong class="command">123</strong></span>,
                   <span><strong class="command">45.67</strong></span> or <span><strong class="command">89.123.45.67</strong></span>.
                 </p>
               </td>
 </tr>
 <tr>
 <td>
                 <p>
                   <code class="varname">ip4_addr</code>
                 </p>
               </td>
 <td>
                 <p>
                   An IPv4 address with exactly four elements
                   in <code class="varname">dotted_decimal</code> notation.
                 </p>
               </td>
 </tr>
 <tr>
 <td>
                 <p>
                   <code class="varname">ip6_addr</code>
                 </p>
               </td>
 <td>
                 <p>
                   An IPv6 address, such as <span><strong class="command">2001:db8::1234</strong></span>.
                   IPv6 scoped addresses that have ambiguity on their
                   scope zones must be disambiguated by an appropriate
                   zone ID with the percent character (`%') as
                   delimiter.  It is strongly recommended to use
                   string zone names rather than numeric identifiers,
                   in order to be robust against system configuration
                   changes.  However, since there is no standard
                   mapping for such names and identifier values,
                   currently only interface names as link identifiers
                   are supported, assuming one-to-one mapping between
                   interfaces and links.  For example, a link-local
                   address <span><strong class="command">fe80::1</strong></span> on the link
                   attached to the interface <span><strong class="command">ne0</strong></span>
                   can be specified as <span><strong class="command">fe80::1%ne0</strong></span>.
                   Note that on most systems link-local addresses
                   always have the ambiguity, and need to be
                   disambiguated.
                 </p>
               </td>
 </tr>
 <tr>
 <td>
                 <p>
                   <code class="varname">ip_addr</code>
                 </p>
               </td>
 <td>
                 <p>
                   An <code class="varname">ip4_addr</code> or <code class="varname">ip6_addr</code>.
                 </p>
               </td>
 </tr>
 <tr>
 <td>
                 <p>
                   <code class="varname">ip_port</code>
                 </p>
               </td>
 <td>
                 <p>
                   An IP port <code class="varname">number</code>.
                   The <code class="varname">number</code> is limited to 0
                   through 65535, with values
                   below 1024 typically restricted to use by processes running
                   as root.
                   In some cases, an asterisk (`*') character can be used as a
                   placeholder to
                   select a random high-numbered port.
                 </p>
               </td>
 </tr>
 <tr>
 <td>
                 <p>
                   <code class="varname">ip_prefix</code>
                 </p>
               </td>
 <td>
                 <p>
                   An IP network specified as an <code class="varname">ip_addr</code>,
                   followed by a slash (`/') and then the number of bits in the
                   netmask.
                   Trailing zeros in a <code class="varname">ip_addr</code>
                   may omitted.
                   For example, <span><strong class="command">127/8</strong></span> is the
                   network <span><strong class="command">127.0.0.0</strong></span> with
                   netmask <span><strong class="command">255.0.0.0</strong></span> and <span><strong class="command">1.2.3.0/28</strong></span> is
                   network <span><strong class="command">1.2.3.0</strong></span> with netmask <span><strong class="command">255.255.255.240</strong></span>.
                 </p>
                 <p>
                   When specifying a prefix involving a IPv6 scoped address
                   the scope may be omitted.  In that case the prefix will
                   match packets from any scope.
                 </p>
               </td>
 </tr>
 <tr>
 <td>
                 <p>
                   <code class="varname">key_id</code>
                 </p>
               </td>
 <td>
                 <p>
                   A <code class="varname">domain_name</code> representing
                   the name of a shared key, to be used for transaction
                   security.
                 </p>
               </td>
 </tr>
 <tr>
 <td>
                 <p>
                   <code class="varname">key_list</code>
                 </p>
               </td>
 <td>
                 <p>
                   A list of one or more
                   <code class="varname">key_id</code>s,
                   separated by semicolons and ending with a semicolon.
                 </p>
               </td>
 </tr>
 <tr>
 <td>
                 <p>
                   <code class="varname">number</code>
                 </p>
               </td>
 <td>
                 <p>
                   A non-negative 32-bit integer
                   (i.e., a number between 0 and 4294967295, inclusive).
                   Its acceptable value might further
                   be limited by the context in which it is used.
                 </p>
               </td>
 </tr>
 <tr>
 <td>
                 <p>
                   <code class="varname">path_name</code>
                 </p>
               </td>
 <td>
                 <p>
                   A quoted string which will be used as
                   a pathname, such as <code class="filename">zones/master/my.test.domain</code>.
                 </p>
               </td>
 </tr>
 <tr>
 <td>
                 <p>
                   <code class="varname">port_list</code>
                 </p>
               </td>
 <td>
                 <p>
                   A list of an <code class="varname">ip_port</code> or a port
                   range.
                   A port range is specified in the form of
                   <strong class="userinput"><code>range</code></strong> followed by
                   two <code class="varname">ip_port</code>s,
                   <code class="varname">port_low</code> and
                   <code class="varname">port_high</code>, which represents
                   port numbers from <code class="varname">port_low</code> through
                   <code class="varname">port_high</code>, inclusive.
                   <code class="varname">port_low</code> must not be larger than
                   <code class="varname">port_high</code>.
                   For example,
                   <strong class="userinput"><code>range 1024 65535</code></strong> represents
                   ports from 1024 through 65535.
                   In either case an asterisk (`*') character is not
                   allowed as a valid <code class="varname">ip_port</code>.
                 </p>
               </td>
 </tr>
 <tr>
 <td>
                 <p>
                   <code class="varname">size_spec</code>
                 </p>
               </td>
 <td>
                 <p>
                   A 64-bit unsigned integer, or the keywords
                   <strong class="userinput"><code>unlimited</code></strong> or
                   <strong class="userinput"><code>default</code></strong>.
                 </p>
                 <p>
                   Integers may take values
                   0 &lt;= value &lt;= 18446744073709551615, though
                   certain parameters
                   (such as <span><strong class="command">max-journal-size</strong></span>) may
                   use a more limited range within these extremes.
                   In most cases, setting a value to 0 does not
                   literally mean zero; it means "undefined" or
                   "as big as possible", depending on the context.
                   See the explanations of particular parameters
                   that use <code class="varname">size_spec</code>
                   for details on how they interpret its use. 
                 </p>
                 <p>
                   Numeric values can optionally be followed by a
                   scaling factor:
                   <strong class="userinput"><code>K</code></strong> or <strong class="userinput"><code>k</code></strong>
                   for kilobytes,
                   <strong class="userinput"><code>M</code></strong> or <strong class="userinput"><code>m</code></strong>
                   for megabytes, and
                   <strong class="userinput"><code>G</code></strong> or <strong class="userinput"><code>g</code></strong>
                   for gigabytes, which scale by 1024, 1024*1024, and
                   1024*1024*1024 respectively.
                 </p>
                 <p>
                   <code class="varname">unlimited</code> generally means
                   "as big as possible", though in certain contexts,
                   (including <code class="option">max-cache-size</code>), it may
                   mean the largest possible 32-bit unsigned integer
                   (0xffffffff); this distinction can be important when
                   dealing with larger quantities. 
                   <code class="varname">unlimited</code> is usually the best way
                   to safely set a very large number.
                 </p>
                 <p>
                   <code class="varname">default</code> 
                   uses the limit that was in force when the server was started.
                 </p>
               </td>
 </tr>
 <tr>
 <td>
                 <p>
                   <code class="varname">yes_or_no</code>
                 </p>
               </td>
 <td>
                 <p>
                   Either <strong class="userinput"><code>yes</code></strong> or <strong class="userinput"><code>no</code></strong>.
                   The words <strong class="userinput"><code>true</code></strong> and <strong class="userinput"><code>false</code></strong> are
                   also accepted, as are the numbers <strong class="userinput"><code>1</code></strong>
                   and <strong class="userinput"><code>0</code></strong>.
                 </p>
               </td>
 </tr>
 <tr>
 <td>
                 <p>
                   <code class="varname">dialup_option</code>
                 </p>
               </td>
 <td>
                 <p>
                   One of <strong class="userinput"><code>yes</code></strong>,
                   <strong class="userinput"><code>no</code></strong>, <strong class="userinput"><code>notify</code></strong>,
                   <strong class="userinput"><code>notify-passive</code></strong>, <strong class="userinput"><code>refresh</code></strong> or
                   <strong class="userinput"><code>passive</code></strong>.
                   When used in a zone, <strong class="userinput"><code>notify-passive</code></strong>,
                   <strong class="userinput"><code>refresh</code></strong>, and <strong class="userinput"><code>passive</code></strong>
                   are restricted to slave and stub zones.
                 </p>
               </td>
 </tr>
 </tbody>
 </table></div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="address_match_lists"></a>Address Match Lists</h3></div></div></div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="id2573073"></a>Syntax</h4></div></div></div>
 <pre class="programlisting"><code class="varname">address_match_list</code> = address_match_list_element ;
   [<span class="optional"> address_match_list_element; ... </span>]
 <code class="varname">address_match_list_element</code> = [<span class="optional"> ! </span>] (ip_address [<span class="optional">/length</span>] |
    key key_id | acl_name | { address_match_list } )
 </pre>
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="id2573100"></a>Definition and Usage</h4></div></div></div>
 <p>
             Address match lists are primarily used to determine access
             control for various server operations. They are also used in
             the <span><strong class="command">listen-on</strong></span> and <span><strong class="command">sortlist</strong></span>
             statements. The elements which constitute an address match
             list can be any of the following:
           </p>
 <div class="itemizedlist"><ul type="disc">
 <li>an IP address (IPv4 or IPv6)</li>
 <li>an IP prefix (in `/' notation)</li>
 <li>
                 a key ID, as defined by the <span><strong class="command">key</strong></span>
                 statement
               </li>
 <li>the name of an address match list defined with
                 the <span><strong class="command">acl</strong></span> statement
               </li>
 <li>a nested address match list enclosed in braces</li>
 </ul></div>
 <p>
             Elements can be negated with a leading exclamation mark (`!'),
             and the match list names "any", "none", "localhost", and
             "localnets" are predefined. More information on those names
             can be found in the description of the acl statement.
           </p>
 <p>
             The addition of the key clause made the name of this syntactic
             element something of a misnomer, since security keys can be used
             to validate access without regard to a host or network address.
             Nonetheless, the term "address match list" is still used
             throughout the documentation.
           </p>
 <p>
             When a given IP address or prefix is compared to an address
             match list, the comparison takes place in approximately O(1)
             time.  However, key comparisons require that the list of keys
             be traversed until a matching key is found, and therefore may
             be somewhat slower.
           </p>
 <p>
             The interpretation of a match depends on whether the list is being
             used for access control, defining <span><strong class="command">listen-on</strong></span> ports, or in a
             <span><strong class="command">sortlist</strong></span>, and whether the element was negated.
           </p>
 <p>
             When used as an access control list, a non-negated match
             allows access and a negated match denies access. If
             there is no match, access is denied. The clauses
             <span><strong class="command">allow-notify</strong></span>,
             <span><strong class="command">allow-recursion</strong></span>,
             <span><strong class="command">allow-recursion-on</strong></span>,
             <span><strong class="command">allow-query</strong></span>,
             <span><strong class="command">allow-query-on</strong></span>,
             <span><strong class="command">allow-query-cache</strong></span>,
             <span><strong class="command">allow-query-cache-on</strong></span>,
             <span><strong class="command">allow-transfer</strong></span>,
             <span><strong class="command">allow-update</strong></span>,
             <span><strong class="command">allow-update-forwarding</strong></span>, and
             <span><strong class="command">blackhole</strong></span> all use address match
             lists.  Similarly, the <span><strong class="command">listen-on</strong></span> option will cause the
             server to refuse queries on any of the machine's
             addresses which do not match the list.
           </p>
 <p>
             Order of insertion is significant.  If more than one element
             in an ACL is found to match a given IP address or prefix,
             preference will be given to the one that came
             <span class="emphasis"><em>first</em></span> in the ACL definition.
             Because of this first-match behavior, an element that
             defines a subset of another element in the list should
             come before the broader element, regardless of whether
             either is negated. For example, in
             <span><strong class="command">1.2.3/24; ! 1.2.3.13;</strong></span>
             the 1.2.3.13 element is completely useless because the
             algorithm will match any lookup for 1.2.3.13 to the 1.2.3/24
             element.  Using <span><strong class="command">! 1.2.3.13; 1.2.3/24</strong></span> fixes
             that problem by having 1.2.3.13 blocked by the negation, but
             all other 1.2.3.* hosts fall through.
           </p>
 </div>
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="id2573374"></a>Comment Syntax</h3></div></div></div>
 <p>
           The <acronym class="acronym">BIND</acronym> 9 comment syntax allows for
           comments to appear
           anywhere that whitespace may appear in a <acronym class="acronym">BIND</acronym> configuration
           file. To appeal to programmers of all kinds, they can be written
           in the C, C++, or shell/perl style.
         </p>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="id2573458"></a>Syntax</h4></div></div></div>
 <p>
             </p>
 <pre class="programlisting">/* This is a <acronym class="acronym">BIND</acronym> comment as in C */</pre>
 <p>
             </p>
 <pre class="programlisting">// This is a <acronym class="acronym">BIND</acronym> comment as in C++</pre>
 <p>
             </p>
 <pre class="programlisting"># This is a <acronym class="acronym">BIND</acronym> comment as in common UNIX shells
 # and perl</pre>
 <p>
           </p>
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="id2573488"></a>Definition and Usage</h4></div></div></div>
 <p>
             Comments may appear anywhere that whitespace may appear in
             a <acronym class="acronym">BIND</acronym> configuration file.
           </p>
 <p>
             C-style comments start with the two characters /* (slash,
             star) and end with */ (star, slash). Because they are completely
             delimited with these characters, they can be used to comment only
             a portion of a line or to span multiple lines.
           </p>
 <p>
             C-style comments cannot be nested. For example, the following
             is not valid because the entire comment ends with the first */:
           </p>
 <p>
 
 </p>
 <pre class="programlisting">/* This is the start of a comment.
    This is still part of the comment.
 /* This is an incorrect attempt at nesting a comment. */
    This is no longer in any comment. */
 </pre>
 <p>
 
           </p>
 <p>
             C++-style comments start with the two characters // (slash,
             slash) and continue to the end of the physical line. They cannot
             be continued across multiple physical lines; to have one logical
             comment span multiple lines, each line must use the // pair.
             For example:
           </p>
 <p>
 
 </p>
 <pre class="programlisting">// This is the start of a comment.  The next line
 // is a new comment, even though it is logically
 // part of the previous comment.
 </pre>
 <p>
 
           </p>
 <p>
             Shell-style (or perl-style, if you prefer) comments start
             with the character <code class="literal">#</code> (number sign)
             and continue to the end of the
             physical line, as in C++ comments.
             For example:
           </p>
 <p>
 
 </p>
 <pre class="programlisting"># This is the start of a comment.  The next line
 # is a new comment, even though it is logically
 # part of the previous comment.
 </pre>
 <p>
 
           </p>
 <div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;">
 <h3 class="title">Warning</h3>
 <p>
               You cannot use the semicolon (`;') character
               to start a comment such as you would in a zone file. The
               semicolon indicates the end of a configuration
               statement.
             </p>
 </div>
 </div>
 </div>
 </div>
 <div class="sect1" lang="en">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
 <a name="Configuration_File_Grammar"></a>Configuration File Grammar</h2></div></div></div>
 <p>
         A <acronym class="acronym">BIND</acronym> 9 configuration consists of
         statements and comments.
         Statements end with a semicolon. Statements and comments are the
         only elements that can appear without enclosing braces. Many
         statements contain a block of sub-statements, which are also
         terminated with a semicolon.
       </p>
 <p>
         The following statements are supported:
       </p>
 <div class="informaltable"><table border="1">
 <colgroup>
 <col>
 <col>
 </colgroup>
 <tbody>
 <tr>
 <td>
                 <p><span><strong class="command">acl</strong></span></p>
               </td>
 <td>
                 <p>
                   defines a named IP address
                   matching list, for access control and other uses.
                 </p>
               </td>
 </tr>
 <tr>
 <td>
                 <p><span><strong class="command">controls</strong></span></p>
               </td>
 <td>
                 <p>
                   declares control channels to be used
                   by the <span><strong class="command">rndc</strong></span> utility.
                 </p>
               </td>
 </tr>
 <tr>
 <td>
                 <p><span><strong class="command">include</strong></span></p>
               </td>
 <td>
                 <p>
                   includes a file.
                 </p>
               </td>
 </tr>
 <tr>
 <td>
                 <p><span><strong class="command">key</strong></span></p>
               </td>
 <td>
                 <p>
                   specifies key information for use in
                   authentication and authorization using TSIG.
                 </p>
               </td>
 </tr>
 <tr>
 <td>
                 <p><span><strong class="command">logging</strong></span></p>
               </td>
 <td>
                 <p>
                   specifies what the server logs, and where
                   the log messages are sent.
                 </p>
               </td>
 </tr>
 <tr>
 <td>
                 <p><span><strong class="command">lwres</strong></span></p>
               </td>
 <td>
                 <p>
                   configures <span><strong class="command">named</strong></span> to
                   also act as a light-weight resolver daemon (<span><strong class="command">lwresd</strong></span>).
                 </p>
               </td>
 </tr>
 <tr>
 <td>
                 <p><span><strong class="command">masters</strong></span></p>
               </td>
 <td>
                 <p>
                   defines a named masters list for
                   inclusion in stub and slave zones'
                   <span><strong class="command">masters</strong></span> or 
                   <span><strong class="command">also-notify</strong></span> lists.
                 </p>
               </td>
 </tr>
 <tr>
 <td>
                 <p><span><strong class="command">options</strong></span></p>
               </td>
 <td>
                 <p>
                   controls global server configuration
                   options and sets defaults for other statements.
                 </p>
               </td>
 </tr>
 <tr>
 <td>
                 <p><span><strong class="command">server</strong></span></p>
               </td>
 <td>
                 <p>
                   sets certain configuration options on
                   a per-server basis.
                 </p>
               </td>
 </tr>
 <tr>
 <td>
                 <p><span><strong class="command">statistics-channels</strong></span></p>
               </td>
 <td>
                 <p>
                   declares communication channels to get access to
                   <span><strong class="command">named</strong></span> statistics.
                 </p>
               </td>
 </tr>
 <tr>
 <td>
                 <p><span><strong class="command">trusted-keys</strong></span></p>
               </td>
 <td>
                 <p>
                   defines trusted DNSSEC keys.
                 </p>
               </td>
 </tr>
 <tr>
 <td>
                 <p><span><strong class="command">managed-keys</strong></span></p>
               </td>
 <td>
                 <p>
                   lists DNSSEC keys to be kept up to date
                   using RFC 5011 trust anchor maintenance.
                 </p>
               </td>
 </tr>
 <tr>
 <td>
                 <p><span><strong class="command">view</strong></span></p>
               </td>
 <td>
                 <p>
                   defines a view.
                 </p>
               </td>
 </tr>
 <tr>
 <td>
                 <p><span><strong class="command">zone</strong></span></p>
               </td>
 <td>
                 <p>
                   defines a zone.
                 </p>
               </td>
 </tr>
 </tbody>
 </table></div>
 <p>
         The <span><strong class="command">logging</strong></span> and
         <span><strong class="command">options</strong></span> statements may only occur once
         per
         configuration.
       </p>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="id2574035"></a><span><strong class="command">acl</strong></span> Statement Grammar</h3></div></div></div>
 <pre class="programlisting"><span><strong class="command">acl</strong></span> acl-name {
     address_match_list
 };
 </pre>
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="acl"></a><span><strong class="command">acl</strong></span> Statement Definition and
           Usage</h3></div></div></div>
 <p>
           The <span><strong class="command">acl</strong></span> statement assigns a symbolic
           name to an address match list. It gets its name from a primary
           use of address match lists: Access Control Lists (ACLs).
         </p>
 <p>
           The following ACLs are built-in:
         </p>
 <div class="informaltable"><table border="1">
 <colgroup>
 <col>
 <col>
 </colgroup>
 <tbody>
 <tr>
 <td>
                   <p><span><strong class="command">any</strong></span></p>
                 </td>
 <td>
                   <p>
                     Matches all hosts.
                   </p>
                 </td>
 </tr>
 <tr>
 <td>
                   <p><span><strong class="command">none</strong></span></p>
                 </td>
 <td>
                   <p>
                     Matches no hosts.
                   </p>
                 </td>
 </tr>
 <tr>
 <td>
                   <p><span><strong class="command">localhost</strong></span></p>
                 </td>
 <td>
                   <p>
                     Matches the IPv4 and IPv6 addresses of all network
                     interfaces on the system.  When addresses are
                     added or removed, the <span><strong class="command">localhost</strong></span>
                     ACL element is updated to reflect the changes.
                   </p>
                 </td>
 </tr>
 <tr>
 <td>
                   <p><span><strong class="command">localnets</strong></span></p>
                 </td>
 <td>
                   <p>
                     Matches any host on an IPv4 or IPv6 network
                     for which the system has an interface.
                     When addresses are added or removed,
                     the <span><strong class="command">localnets</strong></span>
                     ACL element is updated to reflect the changes.
                     Some systems do not provide a way to determine the prefix
                     lengths of
                     local IPv6 addresses.
                     In such a case, <span><strong class="command">localnets</strong></span>
                     only matches the local
                     IPv6 addresses, just like <span><strong class="command">localhost</strong></span>.
                   </p>
                 </td>
 </tr>
 </tbody>
 </table></div>
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="id2574225"></a><span><strong class="command">controls</strong></span> Statement Grammar</h3></div></div></div>
 <pre class="programlisting"><span><strong class="command">controls</strong></span> {
    [ inet ( ip_addr | * ) [ port ip_port ]
                 allow { <em class="replaceable"><code> address_match_list </code></em> }
                 keys { <em class="replaceable"><code>key_list</code></em> }; ]
    [ inet ...; ]
    [ unix <em class="replaceable"><code>path</code></em> perm <em class="replaceable"><code>number</code></em> owner <em class="replaceable"><code>number</code></em> group <em class="replaceable"><code>number</code></em>
      keys { <em class="replaceable"><code>key_list</code></em> }; ]
    [ unix ...; ]
 };
 </pre>
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="controls_statement_definition_and_usage"></a><span><strong class="command">controls</strong></span> Statement Definition and
           Usage</h3></div></div></div>
 <p>
           The <span><strong class="command">controls</strong></span> statement declares control
           channels to be used by system administrators to control the
           operation of the name server. These control channels are
           used by the <span><strong class="command">rndc</strong></span> utility to send
           commands to and retrieve non-DNS results from a name server.
         </p>
 <p>
           An <span><strong class="command">inet</strong></span> control channel is a TCP socket
           listening at the specified <span><strong class="command">ip_port</strong></span> on the
           specified <span><strong class="command">ip_addr</strong></span>, which can be an IPv4 or IPv6
           address.  An <span><strong class="command">ip_addr</strong></span> of <code class="literal">*</code> (asterisk) is
           interpreted as the IPv4 wildcard address; connections will be
           accepted on any of the system's IPv4 addresses.
           To listen on the IPv6 wildcard address,
           use an <span><strong class="command">ip_addr</strong></span> of <code class="literal">::</code>.
           If you will only use <span><strong class="command">rndc</strong></span> on the local host,
           using the loopback address (<code class="literal">127.0.0.1</code>
           or <code class="literal">::1</code>) is recommended for maximum security.
         </p>
 <p>
           If no port is specified, port 953 is used. The asterisk
           "<code class="literal">*</code>" cannot be used for <span><strong class="command">ip_port</strong></span>.
         </p>
 <p>
           The ability to issue commands over the control channel is
           restricted by the <span><strong class="command">allow</strong></span> and
           <span><strong class="command">keys</strong></span> clauses.
           Connections to the control channel are permitted based on the
           <span><strong class="command">address_match_list</strong></span>.  This is for simple
           IP address based filtering only; any <span><strong class="command">key_id</strong></span>
           elements of the <span><strong class="command">address_match_list</strong></span>
           are ignored.
         </p>
 <p>
           A <span><strong class="command">unix</strong></span> control channel is a UNIX domain
           socket listening at the specified path in the file system.
           Access to the socket is specified by the <span><strong class="command">perm</strong></span>,
           <span><strong class="command">owner</strong></span> and <span><strong class="command">group</strong></span> clauses.
           Note on some platforms (SunOS and Solaris) the permissions
           (<span><strong class="command">perm</strong></span>) are applied to the parent directory
           as the permissions on the socket itself are ignored.
         </p>
 <p>
           The primary authorization mechanism of the command
           channel is the <span><strong class="command">key_list</strong></span>, which
           contains a list of <span><strong class="command">key_id</strong></span>s.
           Each <span><strong class="command">key_id</strong></span> in the <span><strong class="command">key_list</strong></span>
           is authorized to execute commands over the control channel.
           See <a href="Bv9ARM.ch03.html#rndc">Remote Name Daemon Control application</a> in <a href="Bv9ARM.ch03.html#admin_tools" title="Administrative Tools">the section called &#8220;Administrative Tools&#8221;</a>)
           for information about configuring keys in <span><strong class="command">rndc</strong></span>.
         </p>
 <p>
           If no <span><strong class="command">controls</strong></span> statement is present,
           <span><strong class="command">named</strong></span> will set up a default
           control channel listening on the loopback address 127.0.0.1
           and its IPv6 counterpart ::1.
           In this case, and also when the <span><strong class="command">controls</strong></span> statement
           is present but does not have a <span><strong class="command">keys</strong></span> clause,
           <span><strong class="command">named</strong></span> will attempt to load the command channel key
           from the file <code class="filename">rndc.key</code> in
           <code class="filename">/etc</code> (or whatever <code class="varname">sysconfdir</code>
           was specified as when <acronym class="acronym">BIND</acronym> was built).
           To create a <code class="filename">rndc.key</code> file, run
           <strong class="userinput"><code>rndc-confgen -a</code></strong>.
         </p>
 <p>
           The <code class="filename">rndc.key</code> feature was created to
           ease the transition of systems from <acronym class="acronym">BIND</acronym> 8,
           which did not have digital signatures on its command channel
           messages and thus did not have a <span><strong class="command">keys</strong></span> clause.
 
           It makes it possible to use an existing <acronym class="acronym">BIND</acronym> 8
           configuration file in <acronym class="acronym">BIND</acronym> 9 unchanged,
           and still have <span><strong class="command">rndc</strong></span> work the same way
           <span><strong class="command">ndc</strong></span> worked in BIND 8, simply by executing the
           command <strong class="userinput"><code>rndc-confgen -a</code></strong> after BIND 9 is
           installed.
         </p>
 <p>
           Since the <code class="filename">rndc.key</code> feature
           is only intended to allow the backward-compatible usage of
           <acronym class="acronym">BIND</acronym> 8 configuration files, this
           feature does not
           have a high degree of configurability.  You cannot easily change
           the key name or the size of the secret, so you should make a
           <code class="filename">rndc.conf</code> with your own key if you
           wish to change
           those things.  The <code class="filename">rndc.key</code> file
           also has its
           permissions set such that only the owner of the file (the user that
           <span><strong class="command">named</strong></span> is running as) can access it.
           If you
           desire greater flexibility in allowing other users to access
           <span><strong class="command">rndc</strong></span> commands, then you need to create
           a
           <code class="filename">rndc.conf</code> file and make it group
           readable by a group
           that contains the users who should have access.
         </p>
 <p>
           To disable the command channel, use an empty
           <span><strong class="command">controls</strong></span> statement:
           <span><strong class="command">controls { };</strong></span>.
         </p>
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="id2574584"></a><span><strong class="command">include</strong></span> Statement Grammar</h3></div></div></div>
 <pre class="programlisting"><span><strong class="command">include</strong></span> <em class="replaceable"><code>filename</code></em>;</pre>
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="id2574601"></a><span><strong class="command">include</strong></span> Statement Definition and
           Usage</h3></div></div></div>
 <p>
           The <span><strong class="command">include</strong></span> statement inserts the
           specified file at the point where the <span><strong class="command">include</strong></span>
           statement is encountered. The <span><strong class="command">include</strong></span>
                 statement facilitates the administration of configuration
           files
           by permitting the reading or writing of some things but not
           others. For example, the statement could include private keys
           that are readable only by the name server.
         </p>
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="id2574761"></a><span><strong class="command">key</strong></span> Statement Grammar</h3></div></div></div>
 <pre class="programlisting"><span><strong class="command">key</strong></span> <em class="replaceable"><code>key_id</code></em> {
     algorithm <em class="replaceable"><code>string</code></em>;
     secret <em class="replaceable"><code>string</code></em>;
 };
 </pre>
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="id2574785"></a><span><strong class="command">key</strong></span> Statement Definition and Usage</h3></div></div></div>
 <p>
           The <span><strong class="command">key</strong></span> statement defines a shared
           secret key for use with TSIG (see <a href="Bv9ARM.ch04.html#tsig" title="TSIG">the section called &#8220;TSIG&#8221;</a>)
           or the command channel
           (see <a href="Bv9ARM.ch06.html#controls_statement_definition_and_usage" title="controls Statement Definition and
           Usage">the section called &#8220;<span><strong class="command">controls</strong></span> Statement Definition and
           Usage&#8221;</a>).
         </p>
 <p>
           The <span><strong class="command">key</strong></span> statement can occur at the
           top level
           of the configuration file or inside a <span><strong class="command">view</strong></span>
           statement.  Keys defined in top-level <span><strong class="command">key</strong></span>
           statements can be used in all views.  Keys intended for use in
           a <span><strong class="command">controls</strong></span> statement
           (see <a href="Bv9ARM.ch06.html#controls_statement_definition_and_usage" title="controls Statement Definition and
           Usage">the section called &#8220;<span><strong class="command">controls</strong></span> Statement Definition and
           Usage&#8221;</a>)
           must be defined at the top level.
         </p>
 <p>
           The <em class="replaceable"><code>key_id</code></em>, also known as the
           key name, is a domain name uniquely identifying the key. It can
           be used in a <span><strong class="command">server</strong></span>
           statement to cause requests sent to that
           server to be signed with this key, or in address match lists to
           verify that incoming requests have been signed with a key
           matching this name, algorithm, and secret.
         </p>
 <p>
           The <em class="replaceable"><code>algorithm_id</code></em> is a string
           that specifies a security/authentication algorithm.  Named
           supports <code class="literal">hmac-md5</code>,
           <code class="literal">hmac-sha1</code>, <code class="literal">hmac-sha224</code>,
           <code class="literal">hmac-sha256</code>, <code class="literal">hmac-sha384</code>
           and <code class="literal">hmac-sha512</code> TSIG authentication.
           Truncated hashes are supported by appending the minimum
           number of required bits preceded by a dash, e.g.
           <code class="literal">hmac-sha1-80</code>.  The
           <em class="replaceable"><code>secret_string</code></em> is the secret
           to be used by the algorithm, and is treated as a base-64
           encoded string.
         </p>
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="id2574875"></a><span><strong class="command">logging</strong></span> Statement Grammar</h3></div></div></div>
 <pre class="programlisting"><span><strong class="command">logging</strong></span> {
    [ <span><strong class="command">channel</strong></span> <em class="replaceable"><code>channel_name</code></em> {
      ( <span><strong class="command">file</strong></span> <em class="replaceable"><code>path_name</code></em>
          [ <span><strong class="command">versions</strong></span> ( <em class="replaceable"><code>number</code></em> | <span><strong class="command">unlimited</strong></span> ) ]
          [ <span><strong class="command">size</strong></span> <em class="replaceable"><code>size_spec</code></em> ]
        | <span><strong class="command">syslog</strong></span> <em class="replaceable"><code>syslog_facility</code></em>
        | <span><strong class="command">stderr</strong></span>
        | <span><strong class="command">null</strong></span> );
      [ <span><strong class="command">severity</strong></span> (<code class="option">critical</code> | <code class="option">error</code> | <code class="option">warning</code> | <code class="option">notice</code> |
                  <code class="option">info</code> | <code class="option">debug</code> [ <em class="replaceable"><code>level</code></em> ] | <code class="option">dynamic</code> ); ]
      [ <span><strong class="command">print-category</strong></span> <code class="option">yes</code> or <code class="option">no</code>; ]
      [ <span><strong class="command">print-severity</strong></span> <code class="option">yes</code> or <code class="option">no</code>; ]
      [ <span><strong class="command">print-time</strong></span> <code class="option">yes</code> or <code class="option">no</code>; ]
    }; ]
    [ <span><strong class="command">category</strong></span> <em class="replaceable"><code>category_name</code></em> {
      <em class="replaceable"><code>channel_name</code></em> ; [ <em class="replaceable"><code>channel_name</code></em> ; ... ]
    }; ]
    ...
 };
 </pre>
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="id2575001"></a><span><strong class="command">logging</strong></span> Statement Definition and
           Usage</h3></div></div></div>
 <p>
           The <span><strong class="command">logging</strong></span> statement configures a
           wide
           variety of logging options for the name server. Its <span><strong class="command">channel</strong></span> phrase
           associates output methods, format options and severity levels with
           a name that can then be used with the <span><strong class="command">category</strong></span> phrase
           to select how various classes of messages are logged.
         </p>
 <p>
           Only one <span><strong class="command">logging</strong></span> statement is used to
           define
           as many channels and categories as are wanted. If there is no <span><strong class="command">logging</strong></span> statement,
           the logging configuration will be:
         </p>
 <pre class="programlisting">logging {
      category default { default_syslog; default_debug; };
      category unmatched { null; };
 };
 </pre>
 <p>
           In <acronym class="acronym">BIND</acronym> 9, the logging configuration
           is only established when
           the entire configuration file has been parsed.  In <acronym class="acronym">BIND</acronym> 8, it was
           established as soon as the <span><strong class="command">logging</strong></span>
           statement
           was parsed. When the server is starting up, all logging messages
           regarding syntax errors in the configuration file go to the default
           channels, or to standard error if the "<code class="option">-g</code>" option
           was specified.
         </p>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="id2575053"></a>The <span><strong class="command">channel</strong></span> Phrase</h4></div></div></div>
 <p>
             All log output goes to one or more <span class="emphasis"><em>channels</em></span>;
             you can make as many of them as you want.
           </p>
 <p>
             Every channel definition must include a destination clause that
             says whether messages selected for the channel go to a file, to a
             particular syslog facility, to the standard error stream, or are
             discarded. It can optionally also limit the message severity level
             that will be accepted by the channel (the default is
             <span><strong class="command">info</strong></span>), and whether to include a
             <span><strong class="command">named</strong></span>-generated time stamp, the
             category name
             and/or severity level (the default is not to include any).
           </p>
 <p>
             The <span><strong class="command">null</strong></span> destination clause
             causes all messages sent to the channel to be discarded;
             in that case, other options for the channel are meaningless.
           </p>
 <p>
             The <span><strong class="command">file</strong></span> destination clause directs
             the channel
             to a disk file.  It can include limitations
             both on how large the file is allowed to become, and how many
             versions
             of the file will be saved each time the file is opened.
           </p>
 <p>
             If you use the <span><strong class="command">versions</strong></span> log file
             option, then
             <span><strong class="command">named</strong></span> will retain that many backup
             versions of the file by
             renaming them when opening.  For example, if you choose to keep
             three old versions
             of the file <code class="filename">lamers.log</code>, then just
             before it is opened
             <code class="filename">lamers.log.1</code> is renamed to
             <code class="filename">lamers.log.2</code>, <code class="filename">lamers.log.0</code> is renamed
             to <code class="filename">lamers.log.1</code>, and <code class="filename">lamers.log</code> is
             renamed to <code class="filename">lamers.log.0</code>.
             You can say <span><strong class="command">versions unlimited</strong></span> to
             not limit
             the number of versions.
             If a <span><strong class="command">size</strong></span> option is associated with
             the log file,
             then renaming is only done when the file being opened exceeds the
             indicated size.  No backup versions are kept by default; any
             existing
             log file is simply appended.
           </p>
 <p>
             The <span><strong class="command">size</strong></span> option for files is used
             to limit log
             growth. If the file ever exceeds the size, then <span><strong class="command">named</strong></span> will
             stop writing to the file unless it has a <span><strong class="command">versions</strong></span> option
             associated with it.  If backup versions are kept, the files are
             rolled as
             described above and a new one begun.  If there is no
             <span><strong class="command">versions</strong></span> option, no more data will
             be written to the log
             until some out-of-band mechanism removes or truncates the log to
             less than the
             maximum size.  The default behavior is not to limit the size of
             the
             file.
           </p>
 <p>
             Example usage of the <span><strong class="command">size</strong></span> and
             <span><strong class="command">versions</strong></span> options:
           </p>
 <pre class="programlisting">channel an_example_channel {
     file "example.log" versions 3 size 20m;
     print-time yes;
     print-category yes;
 };
 </pre>
 <p>
             The <span><strong class="command">syslog</strong></span> destination clause
             directs the
             channel to the system log.  Its argument is a
             syslog facility as described in the <span><strong class="command">syslog</strong></span> man
             page. Known facilities are <span><strong class="command">kern</strong></span>, <span><strong class="command">user</strong></span>,
             <span><strong class="command">mail</strong></span>, <span><strong class="command">daemon</strong></span>, <span><strong class="command">auth</strong></span>,
             <span><strong class="command">syslog</strong></span>, <span><strong class="command">lpr</strong></span>, <span><strong class="command">news</strong></span>,
             <span><strong class="command">uucp</strong></span>, <span><strong class="command">cron</strong></span>, <span><strong class="command">authpriv</strong></span>,
             <span><strong class="command">ftp</strong></span>, <span><strong class="command">local0</strong></span>, <span><strong class="command">local1</strong></span>,
             <span><strong class="command">local2</strong></span>, <span><strong class="command">local3</strong></span>, <span><strong class="command">local4</strong></span>,
             <span><strong class="command">local5</strong></span>, <span><strong class="command">local6</strong></span> and
             <span><strong class="command">local7</strong></span>, however not all facilities
             are supported on
             all operating systems.
             How <span><strong class="command">syslog</strong></span> will handle messages
             sent to
             this facility is described in the <span><strong class="command">syslog.conf</strong></span> man
             page. If you have a system which uses a very old version of <span><strong class="command">syslog</strong></span> that
             only uses two arguments to the <span><strong class="command">openlog()</strong></span> function,
             then this clause is silently ignored.
           </p>
 <p>
             On Windows machines syslog messages are directed to the EventViewer.
           </p>
 <p>
             The <span><strong class="command">severity</strong></span> clause works like <span><strong class="command">syslog</strong></span>'s
             "priorities", except that they can also be used if you are writing
             straight to a file rather than using <span><strong class="command">syslog</strong></span>.
             Messages which are not at least of the severity level given will
             not be selected for the channel; messages of higher severity
             levels
             will be accepted.
           </p>
 <p>
             If you are using <span><strong class="command">syslog</strong></span>, then the <span><strong class="command">syslog.conf</strong></span> priorities
             will also determine what eventually passes through. For example,
             defining a channel facility and severity as <span><strong class="command">daemon</strong></span> and <span><strong class="command">debug</strong></span> but
             only logging <span><strong class="command">daemon.warning</strong></span> via <span><strong class="command">syslog.conf</strong></span> will
             cause messages of severity <span><strong class="command">info</strong></span> and
             <span><strong class="command">notice</strong></span> to
             be dropped. If the situation were reversed, with <span><strong class="command">named</strong></span> writing
             messages of only <span><strong class="command">warning</strong></span> or higher,
             then <span><strong class="command">syslogd</strong></span> would
             print all messages it received from the channel.
           </p>
 <p>
             The <span><strong class="command">stderr</strong></span> destination clause
             directs the
             channel to the server's standard error stream.  This is intended
             for
             use when the server is running as a foreground process, for
             example
             when debugging a configuration.
           </p>
 <p>
             The server can supply extensive debugging information when
             it is in debugging mode. If the server's global debug level is
             greater
             than zero, then debugging mode will be active. The global debug
             level is set either by starting the <span><strong class="command">named</strong></span> server
             with the <code class="option">-d</code> flag followed by a positive integer,
             or by running <span><strong class="command">rndc trace</strong></span>.
             The global debug level
             can be set to zero, and debugging mode turned off, by running <span><strong class="command">rndc
 notrace</strong></span>. All debugging messages in the server have a debug
             level, and higher debug levels give more detailed output. Channels
             that specify a specific debug severity, for example:
           </p>
 <pre class="programlisting">channel specific_debug_level {
     file "foo";
     severity debug 3;
 };
 </pre>
 <p>
             will get debugging output of level 3 or less any time the
             server is in debugging mode, regardless of the global debugging
             level. Channels with <span><strong class="command">dynamic</strong></span>
             severity use the
             server's global debug level to determine what messages to print.
           </p>
 <p>
             If <span><strong class="command">print-time</strong></span> has been turned on,
             then
             the date and time will be logged. <span><strong class="command">print-time</strong></span> may
             be specified for a <span><strong class="command">syslog</strong></span> channel,
             but is usually
             pointless since <span><strong class="command">syslog</strong></span> also logs
             the date and
             time. If <span><strong class="command">print-category</strong></span> is
             requested, then the
             category of the message will be logged as well. Finally, if <span><strong class="command">print-severity</strong></span> is
             on, then the severity level of the message will be logged. The <span><strong class="command">print-</strong></span> options may
             be used in any combination, and will always be printed in the
             following
             order: time, category, severity. Here is an example where all
             three <span><strong class="command">print-</strong></span> options
             are on:
           </p>
 <p>
             <code class="computeroutput">28-Feb-2000 15:05:32.863 general: notice: running</code>
           </p>
 <p>
             There are four predefined channels that are used for
             <span><strong class="command">named</strong></span>'s default logging as follows.
             How they are
             used is described in <a href="Bv9ARM.ch06.html#the_category_phrase" title="The category Phrase">the section called &#8220;The <span><strong class="command">category</strong></span> Phrase&#8221;</a>.
           </p>
 <pre class="programlisting">channel default_syslog {
     // send to syslog's daemon facility
     syslog daemon;
     // only send priority info and higher
     severity info;
 
 channel default_debug {
     // write to named.run in the working directory
     // Note: stderr is used instead of "named.run" if
     // the server is started with the '-f' option.
     file "named.run";
     // log at the server's current debug level
     severity dynamic;
 };
 
 channel default_stderr {
     // writes to stderr
     stderr;
     // only send priority info and higher
     severity info;
 };
 
 channel null {
    // toss anything sent to this channel
    null;
 };
 </pre>
 <p>
             The <span><strong class="command">default_debug</strong></span> channel has the
             special
             property that it only produces output when the server's debug
             level is
             nonzero.  It normally writes to a file called <code class="filename">named.run</code>
             in the server's working directory.
           </p>
 <p>
             For security reasons, when the "<code class="option">-u</code>"
             command line option is used, the <code class="filename">named.run</code> file
             is created only after <span><strong class="command">named</strong></span> has
             changed to the
             new UID, and any debug output generated while <span><strong class="command">named</strong></span> is
             starting up and still running as root is discarded.  If you need
             to capture this output, you must run the server with the "<code class="option">-g</code>"
             option and redirect standard error to a file.
           </p>
 <p>
             Once a channel is defined, it cannot be redefined. Thus you
             cannot alter the built-in channels directly, but you can modify
             the default logging by pointing categories at channels you have
             defined.
           </p>
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="the_category_phrase"></a>The <span><strong class="command">category</strong></span> Phrase</h4></div></div></div>
 <p>
             There are many categories, so you can send the logs you want
             to see wherever you want, without seeing logs you don't want. If
             you don't specify a list of channels for a category, then log
             messages
             in that category will be sent to the <span><strong class="command">default</strong></span> category
             instead. If you don't specify a default category, the following
             "default default" is used:
           </p>
 <pre class="programlisting">category default { default_syslog; default_debug; };
 </pre>
 <p>
             As an example, let's say you want to log security events to
             a file, but you also want keep the default logging behavior. You'd
             specify the following:
           </p>
 <pre class="programlisting">channel my_security_channel {
     file "my_security_file";
     severity info;
 };
 category security {
     my_security_channel;
     default_syslog;
     default_debug;
 };</pre>
 <p>
             To discard all messages in a category, specify the <span><strong class="command">null</strong></span> channel:
           </p>
 <pre class="programlisting">category xfer-out { null; };
 category notify { null; };
 </pre>
 <p>
             Following are the available categories and brief descriptions
             of the types of log information they contain. More
             categories may be added in future <acronym class="acronym">BIND</acronym> releases.
           </p>
 <div class="informaltable"><table border="1">
 <colgroup>
 <col>
 <col>
 </colgroup>
 <tbody>
 <tr>
 <td>
                     <p><span><strong class="command">default</strong></span></p>
                   </td>
 <td>
                     <p>
                       The default category defines the logging
                       options for those categories where no specific
                       configuration has been
                       defined.
                     </p>
                   </td>
 </tr>
 <tr>
 <td>
                     <p><span><strong class="command">general</strong></span></p>
                   </td>
 <td>
                     <p>
                       The catch-all. Many things still aren't
                       classified into categories, and they all end up here.
                     </p>
                   </td>
 </tr>
 <tr>
 <td>
                     <p><span><strong class="command">database</strong></span></p>
                   </td>
 <td>
                     <p>
                       Messages relating to the databases used
                       internally by the name server to store zone and cache
                       data.
                     </p>
                   </td>
 </tr>
 <tr>
 <td>
                     <p><span><strong class="command">security</strong></span></p>
                   </td>
 <td>
                     <p>
                       Approval and denial of requests.
                     </p>
                   </td>
 </tr>
 <tr>
 <td>
                     <p><span><strong class="command">config</strong></span></p>
                   </td>
 <td>
                     <p>
                       Configuration file parsing and processing.
                     </p>
                   </td>
 </tr>
 <tr>
 <td>
                     <p><span><strong class="command">resolver</strong></span></p>
                   </td>
 <td>
                     <p>
                       DNS resolution, such as the recursive
                       lookups performed on behalf of clients by a caching name
                       server.
                     </p>
                   </td>
 </tr>
 <tr>
 <td>
                     <p><span><strong class="command">xfer-in</strong></span></p>
                   </td>
 <td>
                     <p>
                       Zone transfers the server is receiving.
                     </p>
                   </td>
 </tr>
 <tr>
 <td>
                     <p><span><strong class="command">xfer-out</strong></span></p>
                   </td>
 <td>
                     <p>
                       Zone transfers the server is sending.
                     </p>
                   </td>
 </tr>
 <tr>
 <td>
                     <p><span><strong class="command">notify</strong></span></p>
                   </td>
 <td>
                     <p>
                       The NOTIFY protocol.
                     </p>
                   </td>
 </tr>
 <tr>
 <td>
                     <p><span><strong class="command">client</strong></span></p>
                   </td>
 <td>
                     <p>
                       Processing of client requests.
                     </p>
                   </td>
 </tr>
 <tr>
 <td>
                     <p><span><strong class="command">unmatched</strong></span></p>
                   </td>
 <td>
                     <p>
                       Messages that <span><strong class="command">named</strong></span> was unable to determine the
                       class of or for which there was no matching <span><strong class="command">view</strong></span>.
                       A one line summary is also logged to the <span><strong class="command">client</strong></span> category.
                       This category is best sent to a file or stderr, by
                       default it is sent to
                       the <span><strong class="command">null</strong></span> channel.
                     </p>
                   </td>
 </tr>
 <tr>
 <td>
                     <p><span><strong class="command">network</strong></span></p>
                   </td>
 <td>
                     <p>
                       Network operations.
                     </p>
                   </td>
 </tr>
 <tr>
 <td>
                     <p><span><strong class="command">update</strong></span></p>
                   </td>
 <td>
                     <p>
                       Dynamic updates.
                     </p>
                   </td>
 </tr>
 <tr>
 <td>
                     <p><span><strong class="command">update-security</strong></span></p>
                   </td>
 <td>
                     <p>
                       Approval and denial of update requests.
                     </p>
                   </td>
 </tr>
 <tr>
 <td>
                     <p><span><strong class="command">queries</strong></span></p>
                   </td>
 <td>
                     <p>
                       Specify where queries should be logged to.
                     </p>
                     <p>
                       At startup, specifying the category <span><strong class="command">queries</strong></span> will also
                       enable query logging unless <span><strong class="command">querylog</strong></span> option has been
                       specified.
                     </p>
 
                     <p>
                       The query log entry reports the client's IP
                       address and port number, and the query name,
                       class and type.  Next it reports whether the
                       Recursion Desired flag was set (+ if set, -
                       if not set), if the query was signed (S),
                       EDNS was in use (E), if TCP was used (T), if
                       DO (DNSSEC Ok) was set (D), or if CD (Checking
                       Disabled) was set (C).  After this the
                       destination address the query was sent to is
                       reported.
                     </p>
 
                     <p>
                       <code class="computeroutput">client 127.0.0.1#62536 (www.example.com): query: www.example.com IN AAAA +SE</code>
                     </p>
                     <p>
                       <code class="computeroutput">client ::1#62537 (www.example.net): query: www.example.net IN AAAA -SE</code>
                     </p>
                     <p>
                       (The first part of this log message, showing the
                       client address/port number and query name, is
                       repeated in all subsequent log messages related
                       to the same query.)
                     </p>
                   </td>
 </tr>
 <tr>
 <td>
                     <p><span><strong class="command">query-errors</strong></span></p>
                   </td>
 <td>
                     <p>
                       Information about queries that resulted in some
                       failure.
                     </p>
                   </td>
 </tr>
 <tr>
 <td>
                     <p><span><strong class="command">dispatch</strong></span></p>
                   </td>
 <td>
                     <p>
                       Dispatching of incoming packets to the
                       server modules where they are to be processed.
                     </p>
                   </td>
 </tr>
 <tr>
 <td>
                     <p><span><strong class="command">dnssec</strong></span></p>
                   </td>
 <td>
                     <p>
                       DNSSEC and TSIG protocol processing.
                     </p>
                   </td>
 </tr>
 <tr>
 <td>
                     <p><span><strong class="command">lame-servers</strong></span></p>
                   </td>
 <td>
                     <p>
                       Lame servers.  These are misconfigurations
                       in remote servers, discovered by BIND 9 when trying to
                       query those servers during resolution.
                     </p>
                   </td>
 </tr>
 <tr>
 <td>
                     <p><span><strong class="command">delegation-only</strong></span></p>
                   </td>
 <td>
                     <p>
                       Delegation only.  Logs queries that have been
                       forced to NXDOMAIN as the result of a
                       delegation-only zone or a
                       <span><strong class="command">delegation-only</strong></span> in a
                       forward, hint or stub zone declaration.
                     </p>
                   </td>
 </tr>
 <tr>
 <td>
                     <p><span><strong class="command">edns-disabled</strong></span></p>
                   </td>
 <td>
                     <p>
                       Log queries that have been forced to use plain
                       DNS due to timeouts.  This is often due to
                       the remote servers not being RFC 1034 compliant
                       (not always returning FORMERR or similar to
                       EDNS queries and other extensions to the DNS
                       when they are not understood).  In other words, this is
                       targeted at servers that fail to respond to
                       DNS queries that they don't understand.
                     </p>
                     <p>
                       Note: the log message can also be due to
                       packet loss.  Before reporting servers for
                       non-RFC 1034 compliance they should be re-tested
                       to determine the nature of the non-compliance.
                       This testing should prevent or reduce the
                       number of false-positive reports.
                     </p>
                     <p>
                       Note: eventually <span><strong class="command">named</strong></span> will have to stop
                       treating such timeouts as due to RFC 1034 non
                       compliance and start treating it as plain
                       packet loss.  Falsely classifying packet
                       loss as due to RFC 1034 non compliance impacts
                       on DNSSEC validation which requires EDNS for
                       the DNSSEC records to be returned.
                     </p>
                   </td>
 </tr>
 <tr>
 <td>
                     <p><span><strong class="command">RPZ</strong></span></p>
                   </td>
 <td>
                     <p>
                       Information about errors in response policy zone files,
                       rewritten responses, and at the highest
                       <span><strong class="command">debug</strong></span> levels, mere rewriting
                       attempts.
                     </p>
                   </td>
 </tr>
 <tr>
 <td>
                     <p><span><strong class="command">rate-limit</strong></span></p>
                   </td>
 <td>
                     <p>
                       (Only available when <acronym class="acronym">BIND</acronym> 9 is
                       configured with the <strong class="userinput"><code>--enable-rrl</code></strong>
                       option at compile time.)
                     </p>
                     <p>
                       The start, periodic, and final notices of the
                       rate limiting of a stream of responses are logged at
                       <span><strong class="command">info</strong></span> severity in this category.
                       These messages include a hash value of the domain name
                       of the response and the name itself,
                       except when there is insufficient memory to record
                       the name for the final notice
                       The final notice is normally delayed until about one
                       minute after rate limit stops.
                       A lack of memory can hurry the final notice,
                       in which case it starts with an asterisk (*).
                       Various internal events are logged at debug 1 level
                       and higher.
                     </p>
                     <p>
                       Rate limiting of individual requests
                       is logged in the <span><strong class="command">query-errors</strong></span> category.
                     </p>
                   </td>
 </tr>
 <tr>
 <td>
                     <p><span><strong class="command">cname</strong></span></p>
                   </td>
 <td>
                     <p>
                       Logs nameservers that are skipped due to them being
                       a CNAME rather than A / AAAA records.
                     </p>
                   </td>
 </tr>
 </tbody>
 </table></div>
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="id2576580"></a>The <span><strong class="command">query-errors</strong></span> Category</h4></div></div></div>
 <p>
             The <span><strong class="command">query-errors</strong></span> category is
             specifically intended for debugging purposes: To identify
             why and how specific queries result in responses which
             indicate an error.
             Messages of this category are therefore only logged
             with <span><strong class="command">debug</strong></span> levels.
           </p>
 <p>
             At the debug levels of 1 or higher, each response with the
             rcode of SERVFAIL is logged as follows:
           </p>
 <p>
             <code class="computeroutput">client 127.0.0.1#61502: query failed (SERVFAIL) for www.example.com/IN/AAAA at query.c:3880</code>
           </p>
 <p>
             This means an error resulting in SERVFAIL was
             detected at line 3880 of source file
             <code class="filename">query.c</code>.
             Log messages of this level will particularly
             help identify the cause of SERVFAIL for an
             authoritative server.
           </p>
 <p>
             At the debug levels of 2 or higher, detailed context
             information of recursive resolutions that resulted in
             SERVFAIL is logged.
             The log message will look like as follows:
           </p>
 <p>
 
             </p>
 <pre class="programlisting">
 fetch completed at resolver.c:2970 for www.example.com/A
 in 30.000183: timed out/success [domain:example.com,
 referral:2,restart:7,qrysent:8,timeout:5,lame:0,neterr:0,
 badresp:1,adberr:0,findfail:0,valfail:0]
             </pre>
 <p>
           </p>
 <p>
             The first part before the colon shows that a recursive
             resolution for AAAA records of www.example.com completed
             in 30.000183 seconds and the final result that led to the
             SERVFAIL was determined at line 2970 of source file
             <code class="filename">resolver.c</code>.
           </p>
 <p>
             The following part shows the detected final result and the
             latest result of DNSSEC validation.
             The latter is always success when no validation attempt
             is made.
             In this example, this query resulted in SERVFAIL probably
             because all name servers are down or unreachable, leading
             to a timeout in 30 seconds.
             DNSSEC validation was probably not attempted.
           </p>
 <p>
             The last part enclosed in square brackets shows statistics
             information collected for this particular resolution
             attempt.
             The <code class="varname">domain</code> field shows the deepest zone
             that the resolver reached;
             it is the zone where the error was finally detected.
             The meaning of the other fields is summarized in the
             following table.
           </p>
 <div class="informaltable"><table border="1">
 <colgroup>
 <col>
 <col>
 </colgroup>
 <tbody>
 <tr>
 <td>
                     <p><code class="varname">referral</code></p>
                   </td>
 <td>
                     <p>
                       The number of referrals the resolver received
                       throughout the resolution process.
                       In the above example this is 2, which are most
                       likely com and example.com.
                     </p>
                   </td>
 </tr>
 <tr>
 <td>
                     <p><code class="varname">restart</code></p>
                   </td>
 <td>
                     <p>
                       The number of cycles that the resolver tried
                       remote servers at the <code class="varname">domain</code>
                       zone.
                       In each cycle the resolver sends one query
                       (possibly resending it, depending on the response)
                       to each known name server of
                       the <code class="varname">domain</code> zone.
                     </p>
                   </td>
 </tr>
 <tr>
 <td>
                     <p><code class="varname">qrysent</code></p>
                   </td>
 <td>
                     <p>
                       The number of queries the resolver sent at the
                       <code class="varname">domain</code> zone.
                     </p>
                   </td>
 </tr>
 <tr>
 <td>
                     <p><code class="varname">timeout</code></p>
                   </td>
 <td>
                     <p>
                       The number of timeouts since the resolver
                       received the last response.
                     </p>
                   </td>
 </tr>
 <tr>
 <td>
                     <p><code class="varname">lame</code></p>
                   </td>
 <td>
                     <p>
                       The number of lame servers the resolver detected
                       at the <code class="varname">domain</code> zone.
                       A server is detected to be lame either by an
                       invalid response or as a result of lookup in
                       BIND9's address database (ADB), where lame
                       servers are cached.
                     </p>
                   </td>
 </tr>
 <tr>
 <td>
                     <p><code class="varname">neterr</code></p>
                   </td>
 <td>
                     <p>
                       The number of erroneous results that the
                       resolver encountered in sending queries
                       at the <code class="varname">domain</code> zone.
                       One common case is the remote server is
                       unreachable and the resolver receives an ICMP
                       unreachable error message.
                     </p>
                   </td>
 </tr>
 <tr>
 <td>
                     <p><code class="varname">badresp</code></p>
                   </td>
 <td>
                     <p>
                       The number of unexpected responses (other than
                       <code class="varname">lame</code>) to queries sent by the
                       resolver at the <code class="varname">domain</code> zone.
                     </p>
                   </td>
 </tr>
 <tr>
 <td>
                     <p><code class="varname">adberr</code></p>
                   </td>
 <td>
                     <p>
                       Failures in finding remote server addresses
                       of the <code class="varname">domain</code> zone in the ADB.
                       One common case of this is that the remote
                       server's name does not have any address records.
                     </p>
                   </td>
 </tr>
 <tr>
 <td>
                     <p><code class="varname">findfail</code></p>
                   </td>
 <td>
                     <p>
                       Failures of resolving remote server addresses.
                       This is a total number of failures throughout
                       the resolution process.
                     </p>
                   </td>
 </tr>
 <tr>
 <td>
                     <p><code class="varname">valfail</code></p>
                   </td>
 <td>
                     <p>
                       Failures of DNSSEC validation.
                       Validation failures are counted throughout
                       the resolution process (not limited to
                       the <code class="varname">domain</code> zone), but should
                       only happen in <code class="varname">domain</code>.
                     </p>
                   </td>
 </tr>
 </tbody>
 </table></div>
 <p>
             At the debug levels of 3 or higher, the same messages
             as those at the debug 1 level are logged for other errors
             than SERVFAIL.
             Note that negative responses such as NXDOMAIN are not
             regarded as errors here.
           </p>
 <p>
             At the debug levels of 4 or higher, the same messages
             as those at the debug 2 level are logged for other errors
             than SERVFAIL.
             Unlike the above case of level 3, messages are logged for
             negative responses.
             This is because any unexpected results can be difficult to
             debug in the recursion case.
           </p>
 </div>
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="id2577168"></a><span><strong class="command">lwres</strong></span> Statement Grammar</h3></div></div></div>
 <p>
            This is the grammar of the <span><strong class="command">lwres</strong></span>
           statement in the <code class="filename">named.conf</code> file:
         </p>
 <pre class="programlisting"><span><strong class="command">lwres</strong></span> {
     [<span class="optional"> listen-on { <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ;
                 [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
     [<span class="optional"> view <em class="replaceable"><code>view_name</code></em>; </span>]
     [<span class="optional"> search { <em class="replaceable"><code>domain_name</code></em> ; [<span class="optional"> <em class="replaceable"><code>domain_name</code></em> ; ... </span>] }; </span>]
     [<span class="optional"> ndots <em class="replaceable"><code>number</code></em>; </span>]
 };
 </pre>
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="id2577241"></a><span><strong class="command">lwres</strong></span> Statement Definition and Usage</h3></div></div></div>
 <p>
           The <span><strong class="command">lwres</strong></span> statement configures the
           name
           server to also act as a lightweight resolver server. (See
           <a href="Bv9ARM.ch05.html#lwresd" title="Running a Resolver Daemon">the section called &#8220;Running a Resolver Daemon&#8221;</a>.)  There may be multiple
           <span><strong class="command">lwres</strong></span> statements configuring
           lightweight resolver servers with different properties.
         </p>
 <p>
           The <span><strong class="command">listen-on</strong></span> statement specifies a
           list of
           IPv4 addresses (and ports) that this instance of a lightweight
           resolver daemon
           should accept requests on.  If no port is specified, port 921 is
           used.
           If this statement is omitted, requests will be accepted on
           127.0.0.1,
           port 921.
         </p>
 <p>
           The <span><strong class="command">view</strong></span> statement binds this
           instance of a
           lightweight resolver daemon to a view in the DNS namespace, so that
           the
           response will be constructed in the same manner as a normal DNS
           query
           matching this view.  If this statement is omitted, the default view
           is
           used, and if there is no default view, an error is triggered.
         </p>
 <p>
           The <span><strong class="command">search</strong></span> statement is equivalent to
           the
           <span><strong class="command">search</strong></span> statement in
           <code class="filename">/etc/resolv.conf</code>.  It provides a
           list of domains
           which are appended to relative names in queries.
         </p>
 <p>
           The <span><strong class="command">ndots</strong></span> statement is equivalent to
           the
           <span><strong class="command">ndots</strong></span> statement in
           <code class="filename">/etc/resolv.conf</code>.  It indicates the
           minimum
           number of dots in a relative domain name that should result in an
           exact match lookup before search path elements are appended.
         </p>
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="id2577305"></a><span><strong class="command">masters</strong></span> Statement Grammar</h3></div></div></div>
 <pre class="programlisting">
 <span><strong class="command">masters</strong></span> <em class="replaceable"><code>name</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] { ( <em class="replaceable"><code>masters_list</code></em> | 
       <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">key <em class="replaceable"><code>key</code></em></span>] ) ; [<span class="optional">...</span>] };
 </pre>
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="id2577417"></a><span><strong class="command">masters</strong></span> Statement Definition and
           Usage</h3></div></div></div>
 <p><span><strong class="command">masters</strong></span>
           lists allow for a common set of masters to be easily used by
           multiple stub and slave zones in their <span><strong class="command">masters</strong></span>
           or <span><strong class="command">also-notify</strong></span> lists.
         </p>
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="id2577438"></a><span><strong class="command">options</strong></span> Statement Grammar</h3></div></div></div>
 <p>
           This is the grammar of the <span><strong class="command">options</strong></span>
           statement in the <code class="filename">named.conf</code> file:
         </p>
 <pre class="programlisting"><span><strong class="command">options</strong></span> {
     [<span class="optional"> attach-cache <em class="replaceable"><code>cache_name</code></em>; </span>]
     [<span class="optional"> version <em class="replaceable"><code>version_string</code></em>; </span>]
     [<span class="optional"> hostname <em class="replaceable"><code>hostname_string</code></em>; </span>]
     [<span class="optional"> server-id <em class="replaceable"><code>server_id_string</code></em>; </span>]
     [<span class="optional"> directory <em class="replaceable"><code>path_name</code></em>; </span>]
     [<span class="optional"> key-directory <em class="replaceable"><code>path_name</code></em>; </span>]
     [<span class="optional"> managed-keys-directory <em class="replaceable"><code>path_name</code></em>; </span>]
     [<span class="optional"> named-xfer <em class="replaceable"><code>path_name</code></em>; </span>]
     [<span class="optional"> tkey-gssapi-keytab <em class="replaceable"><code>path_name</code></em>; </span>]
     [<span class="optional"> tkey-gssapi-credential <em class="replaceable"><code>principal</code></em>; </span>]
     [<span class="optional"> tkey-domain <em class="replaceable"><code>domainname</code></em>; </span>]
     [<span class="optional"> tkey-dhkey <em class="replaceable"><code>key_name</code></em> <em class="replaceable"><code>key_tag</code></em>; </span>]
     [<span class="optional"> cache-file <em class="replaceable"><code>path_name</code></em>; </span>]
     [<span class="optional"> dump-file <em class="replaceable"><code>path_name</code></em>; </span>]
     [<span class="optional"> bindkeys-file <em class="replaceable"><code>path_name</code></em>; </span>]
     [<span class="optional"> secroots-file <em class="replaceable"><code>path_name</code></em>; </span>]
     [<span class="optional"> session-keyfile <em class="replaceable"><code>path_name</code></em>; </span>]
     [<span class="optional"> session-keyname <em class="replaceable"><code>key_name</code></em>; </span>]
     [<span class="optional"> session-keyalg <em class="replaceable"><code>algorithm_id</code></em>; </span>]
     [<span class="optional"> memstatistics <em class="replaceable"><code>yes_or_no</code></em>; </span>]
     [<span class="optional"> memstatistics-file <em class="replaceable"><code>path_name</code></em>; </span>]
     [<span class="optional"> pid-file <em class="replaceable"><code>path_name</code></em>; </span>]
     [<span class="optional"> recursing-file <em class="replaceable"><code>path_name</code></em>; </span>]
     [<span class="optional"> statistics-file <em class="replaceable"><code>path_name</code></em>; </span>]
     [<span class="optional"> zone-statistics <em class="replaceable"><code>full</code></em> | <em class="replaceable"><code>terse</code></em> | <em class="replaceable"><code>none</code></em>; </span>]
     [<span class="optional"> auth-nxdomain <em class="replaceable"><code>yes_or_no</code></em>; </span>]
     [<span class="optional"> deallocate-on-exit <em class="replaceable"><code>yes_or_no</code></em>; </span>]
     [<span class="optional"> dialup <em class="replaceable"><code>dialup_option</code></em>; </span>]
     [<span class="optional"> fake-iquery <em class="replaceable"><code>yes_or_no</code></em>; </span>]
     [<span class="optional"> fetch-glue <em class="replaceable"><code>yes_or_no</code></em>; </span>]
     [<span class="optional"> flush-zones-on-shutdown <em class="replaceable"><code>yes_or_no</code></em>; </span>]
     [<span class="optional"> has-old-clients <em class="replaceable"><code>yes_or_no</code></em>; </span>]
     [<span class="optional"> host-statistics <em class="replaceable"><code>yes_or_no</code></em>; </span>]
     [<span class="optional"> host-statistics-max <em class="replaceable"><code>number</code></em>; </span>]
     [<span class="optional"> minimal-responses <em class="replaceable"><code>yes_or_no</code></em>; </span>]
     [<span class="optional"> multiple-cnames <em class="replaceable"><code>yes_or_no</code></em>; </span>]
     [<span class="optional"> notify <em class="replaceable"><code>yes_or_no</code></em> | <em class="replaceable"><code>explicit</code></em> | <em class="replaceable"><code>master-only</code></em>; </span>]
     [<span class="optional"> recursion <em class="replaceable"><code>yes_or_no</code></em>; </span>]
     [<span class="optional"> request-nsid <em class="replaceable"><code>yes_or_no</code></em>; </span>]
     [<span class="optional"> rfc2308-type1 <em class="replaceable"><code>yes_or_no</code></em>; </span>]
     [<span class="optional"> use-id-pool <em class="replaceable"><code>yes_or_no</code></em>; </span>]
     [<span class="optional"> maintain-ixfr-base <em class="replaceable"><code>yes_or_no</code></em>; </span>]
     [<span class="optional"> ixfr-from-differences (<em class="replaceable"><code>yes_or_no</code></em> | <code class="constant">master</code> | <code class="constant">slave</code>); </span>]
     [<span class="optional"> dnssec-enable <em class="replaceable"><code>yes_or_no</code></em>; </span>]
     [<span class="optional"> dnssec-validation (<em class="replaceable"><code>yes_or_no</code></em> | <code class="constant">auto</code>); </span>]
     [<span class="optional"> dnssec-lookaside ( <em class="replaceable"><code>auto</code></em> |
                         <em class="replaceable"><code>no</code></em> |
                         <em class="replaceable"><code>domain</code></em> trust-anchor <em class="replaceable"><code>domain</code></em> ); </span>]
     [<span class="optional"> dnssec-must-be-secure <em class="replaceable"><code>domain yes_or_no</code></em>; </span>]
     [<span class="optional"> dnssec-accept-expired <em class="replaceable"><code>yes_or_no</code></em>; </span>]
     [<span class="optional"> forward ( <em class="replaceable"><code>only</code></em> | <em class="replaceable"><code>first</code></em> ); </span>]
     [<span class="optional"> forwarders { [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
     [<span class="optional"> dual-stack-servers [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] {
         ( <em class="replaceable"><code>domain_name</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] |
           <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ) ; 
         ... }; </span>]
     [<span class="optional"> check-names ( <em class="replaceable"><code>master</code></em> | <em class="replaceable"><code>slave</code></em> | <em class="replaceable"><code>response</code></em> )
         ( <em class="replaceable"><code>warn</code></em> | <em class="replaceable"><code>fail</code></em> | <em class="replaceable"><code>ignore</code></em> ); </span>]
     [<span class="optional"> check-dup-records ( <em class="replaceable"><code>warn</code></em> | <em class="replaceable"><code>fail</code></em> | <em class="replaceable"><code>ignore</code></em> ); </span>]
     [<span class="optional"> check-mx ( <em class="replaceable"><code>warn</code></em> | <em class="replaceable"><code>fail</code></em> | <em class="replaceable"><code>ignore</code></em> ); </span>]
     [<span class="optional"> check-wildcard <em class="replaceable"><code>yes_or_no</code></em>; </span>]
     [<span class="optional"> check-integrity <em class="replaceable"><code>yes_or_no</code></em>; </span>]
     [<span class="optional"> check-mx-cname ( <em class="replaceable"><code>warn</code></em> | <em class="replaceable"><code>fail</code></em> | <em class="replaceable"><code>ignore</code></em> ); </span>]
     [<span class="optional"> check-srv-cname ( <em class="replaceable"><code>warn</code></em> | <em class="replaceable"><code>fail</code></em> | <em class="replaceable"><code>ignore</code></em> ); </span>]
     [<span class="optional"> check-sibling <em class="replaceable"><code>yes_or_no</code></em>; </span>]
     [<span class="optional"> check-spf ( <em class="replaceable"><code>warn</code></em> | <em class="replaceable"><code>ignore</code></em> ); </span>]
     [<span class="optional"> allow-new-zones { <em class="replaceable"><code>yes_or_no</code></em> }; </span>]
     [<span class="optional"> allow-notify { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
     [<span class="optional"> allow-query { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
     [<span class="optional"> allow-query-on { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
     [<span class="optional"> allow-query-cache { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
     [<span class="optional"> allow-query-cache-on { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
     [<span class="optional"> allow-transfer { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
     [<span class="optional"> allow-recursion { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
     [<span class="optional"> allow-recursion-on { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
     [<span class="optional"> allow-update { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
     [<span class="optional"> allow-update-forwarding { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
     [<span class="optional"> update-check-ksk <em class="replaceable"><code>yes_or_no</code></em>; </span>]
     [<span class="optional"> dnssec-update-mode ( <em class="replaceable"><code>maintain</code></em> | <em class="replaceable"><code>no-resign</code></em> ); </span>]
     [<span class="optional"> dnssec-dnskey-kskonly <em class="replaceable"><code>yes_or_no</code></em>; </span>]
     [<span class="optional"> dnssec-loadkeys-interval <em class="replaceable"><code>number</code></em>; </span>]
     [<span class="optional"> dnssec-secure-to-insecure <em class="replaceable"><code>yes_or_no</code></em> ;</span>]
     [<span class="optional"> try-tcp-refresh <em class="replaceable"><code>yes_or_no</code></em>; </span>]
     [<span class="optional"> allow-v6-synthesis { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
     [<span class="optional"> blackhole { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
     [<span class="optional"> no-case-compress { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
     [<span class="optional"> use-v4-udp-ports { <em class="replaceable"><code>port_list</code></em> }; </span>]
     [<span class="optional"> avoid-v4-udp-ports { <em class="replaceable"><code>port_list</code></em> }; </span>]
     [<span class="optional"> use-v6-udp-ports { <em class="replaceable"><code>port_list</code></em> }; </span>]
     [<span class="optional"> avoid-v6-udp-ports { <em class="replaceable"><code>port_list</code></em> }; </span>]
     [<span class="optional"> listen-on [<span class="optional"> port <em class="replaceable"><code>ip_port</code></em> </span>] { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
     [<span class="optional"> listen-on-v6 [<span class="optional"> port <em class="replaceable"><code>ip_port</code></em> </span>] { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
     [<span class="optional"> query-source ( ( <em class="replaceable"><code>ip4_addr</code></em> | <em class="replaceable"><code>*</code></em> )
         [<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>] |
         [<span class="optional"> address ( <em class="replaceable"><code>ip4_addr</code></em> | <em class="replaceable"><code>*</code></em> ) </span>]
         [<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>] ) ; </span>]
     [<span class="optional"> query-source-v6 ( ( <em class="replaceable"><code>ip6_addr</code></em> | <em class="replaceable"><code>*</code></em> )
         [<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>] | 
         [<span class="optional"> address ( <em class="replaceable"><code>ip6_addr</code></em> | <em class="replaceable"><code>*</code></em> ) </span>] 
         [<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>] ) ; </span>]
     [<span class="optional"> use-queryport-pool <em class="replaceable"><code>yes_or_no</code></em>; </span>]
     [<span class="optional"> queryport-pool-ports <em class="replaceable"><code>number</code></em>; </span>]
     [<span class="optional"> queryport-pool-updateinterval <em class="replaceable"><code>number</code></em>; </span>]
     [<span class="optional"> max-transfer-time-in <em class="replaceable"><code>number</code></em>; </span>]
     [<span class="optional"> max-transfer-time-out <em class="replaceable"><code>number</code></em>; </span>]
     [<span class="optional"> max-transfer-idle-in <em class="replaceable"><code>number</code></em>; </span>]
     [<span class="optional"> max-transfer-idle-out <em class="replaceable"><code>number</code></em>; </span>]
     [<span class="optional"> tcp-clients <em class="replaceable"><code>number</code></em>; </span>]
     [<span class="optional"> reserved-sockets <em class="replaceable"><code>number</code></em>; </span>]
     [<span class="optional"> recursive-clients <em class="replaceable"><code>number</code></em>; </span>]
     [<span class="optional"> serial-query-rate <em class="replaceable"><code>number</code></em>; </span>]
     [<span class="optional"> serial-queries <em class="replaceable"><code>number</code></em>; </span>]
     [<span class="optional"> tcp-listen-queue <em class="replaceable"><code>number</code></em>; </span>]
     [<span class="optional"> transfer-format <em class="replaceable"><code>( one-answer | many-answers )</code></em>; </span>]
     [<span class="optional"> transfers-in  <em class="replaceable"><code>number</code></em>; </span>]
     [<span class="optional"> transfers-out <em class="replaceable"><code>number</code></em>; </span>]
     [<span class="optional"> transfers-per-ns <em class="replaceable"><code>number</code></em>; </span>]
     [<span class="optional"> transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
     [<span class="optional"> transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
     [<span class="optional"> alt-transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
     [<span class="optional"> alt-transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>)
                              [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
     [<span class="optional"> use-alt-transfer-source <em class="replaceable"><code>yes_or_no</code></em>; </span>]
     [<span class="optional"> notify-delay <em class="replaceable"><code>seconds</code></em> ; </span>]
     [<span class="optional"> notify-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
     [<span class="optional"> notify-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
     [<span class="optional"> notify-to-soa <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
     [<span class="optional"> also-notify { <em class="replaceable"><code>ip_addr</code></em>
                     [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">key <em class="replaceable"><code>keyname</code></em></span>] ;
                     [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">key <em class="replaceable"><code>keyname</code></em></span>] ; ... </span>] }; </span>]
     [<span class="optional"> max-ixfr-log-size <em class="replaceable"><code>number</code></em>; </span>]
     [<span class="optional"> max-journal-size <em class="replaceable"><code>size_spec</code></em>; </span>]
     [<span class="optional"> coresize <em class="replaceable"><code>size_spec</code></em> ; </span>]
     [<span class="optional"> datasize <em class="replaceable"><code>size_spec</code></em> ; </span>]
     [<span class="optional"> files <em class="replaceable"><code>size_spec</code></em> ; </span>]
     [<span class="optional"> stacksize <em class="replaceable"><code>size_spec</code></em> ; </span>]
     [<span class="optional"> cleaning-interval <em class="replaceable"><code>number</code></em>; </span>]
     [<span class="optional"> heartbeat-interval <em class="replaceable"><code>number</code></em>; </span>]
     [<span class="optional"> interface-interval <em class="replaceable"><code>number</code></em>; </span>]
     [<span class="optional"> statistics-interval <em class="replaceable"><code>number</code></em>; </span>]
     [<span class="optional"> topology { <em class="replaceable"><code>address_match_list</code></em> }</span>];
     [<span class="optional"> sortlist { <em class="replaceable"><code>address_match_list</code></em> }</span>];
     [<span class="optional"> rrset-order { <em class="replaceable"><code>order_spec</code></em> ; [<span class="optional"> <em class="replaceable"><code>order_spec</code></em> ; ... </span>] </span>] };
     [<span class="optional"> lame-ttl <em class="replaceable"><code>number</code></em>; </span>]
     [<span class="optional"> max-ncache-ttl <em class="replaceable"><code>number</code></em>; </span>]
     [<span class="optional"> max-cache-ttl <em class="replaceable"><code>number</code></em>; </span>]
     [<span class="optional"> sig-validity-interval <em class="replaceable"><code>number</code></em> [<span class="optional"><em class="replaceable"><code>number</code></em></span>] ; </span>]
     [<span class="optional"> sig-signing-nodes <em class="replaceable"><code>number</code></em> ; </span>]
     [<span class="optional"> sig-signing-signatures <em class="replaceable"><code>number</code></em> ; </span>]
     [<span class="optional"> sig-signing-type <em class="replaceable"><code>number</code></em> ; </span>]
     [<span class="optional"> min-roots <em class="replaceable"><code>number</code></em>; </span>]
     [<span class="optional"> use-ixfr <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
     [<span class="optional"> provide-ixfr <em class="replaceable"><code>yes_or_no</code></em>; </span>]
     [<span class="optional"> request-ixfr <em class="replaceable"><code>yes_or_no</code></em>; </span>]
     [<span class="optional"> treat-cr-as-space <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
     [<span class="optional"> min-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
     [<span class="optional"> max-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
     [<span class="optional"> min-retry-time <em class="replaceable"><code>number</code></em> ; </span>]
     [<span class="optional"> max-retry-time <em class="replaceable"><code>number</code></em> ; </span>]
     [<span class="optional"> port <em class="replaceable"><code>ip_port</code></em>; </span>]
     [<span class="optional"> additional-from-auth <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
     [<span class="optional"> additional-from-cache <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
     [<span class="optional"> random-device <em class="replaceable"><code>path_name</code></em> ; </span>]
     [<span class="optional"> max-cache-size <em class="replaceable"><code>size_spec</code></em> ; </span>]
     [<span class="optional"> match-mapped-addresses <em class="replaceable"><code>yes_or_no</code></em>; </span>]
     [<span class="optional"> filter-aaaa-on-v4 ( <em class="replaceable"><code>yes_or_no</code></em> | <em class="replaceable"><code>break-dnssec</code></em> ); </span>]
     [<span class="optional"> filter-aaaa { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
     [<span class="optional"> dns64 <em class="replaceable"><code>ipv6-prefix</code></em> {
         [<span class="optional"> clients { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
         [<span class="optional"> mapped { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
         [<span class="optional"> exclude { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
         [<span class="optional"> suffix IPv6-address; </span>]
         [<span class="optional"> recursive-only <em class="replaceable"><code>yes_or_no</code></em>; </span>]
         [<span class="optional"> break-dnssec <em class="replaceable"><code>yes_or_no</code></em>; </span>]
     }; </span>];
     [<span class="optional"> dns64-server <em class="replaceable"><code>name</code></em> </span>]
     [<span class="optional"> dns64-contact <em class="replaceable"><code>name</code></em> </span>]
     [<span class="optional"> preferred-glue ( <em class="replaceable"><code>A</code></em> | <em class="replaceable"><code>AAAA</code></em> | <em class="replaceable"><code>NONE</code></em> ); </span>]
     [<span class="optional"> edns-udp-size <em class="replaceable"><code>number</code></em>; </span>]
     [<span class="optional"> max-udp-size <em class="replaceable"><code>number</code></em>; </span>]
     [<span class="optional"> max-rsa-exponent-size <em class="replaceable"><code>number</code></em>; </span>]
     [<span class="optional"> root-delegation-only [<span class="optional"> exclude { <em class="replaceable"><code>namelist</code></em> } </span>] ; </span>]
     [<span class="optional"> querylog <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
     [<span class="optional"> disable-algorithms <em class="replaceable"><code>domain</code></em> { <em class="replaceable"><code>algorithm</code></em>;
                                 [<span class="optional"> <em class="replaceable"><code>algorithm</code></em>; </span>] }; </span>]
     [<span class="optional"> acache-enable <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
     [<span class="optional"> acache-cleaning-interval <em class="replaceable"><code>number</code></em>; </span>]
     [<span class="optional"> max-acache-size <em class="replaceable"><code>size_spec</code></em> ; </span>]
     [<span class="optional"> clients-per-query <em class="replaceable"><code>number</code></em> ; </span>]
     [<span class="optional"> max-clients-per-query <em class="replaceable"><code>number</code></em> ; </span>]
     [<span class="optional"> max-recursion-depth <em class="replaceable"><code>number</code></em> ; </span>]
     [<span class="optional"> max-recursion-queries <em class="replaceable"><code>number</code></em> ; </span>]
     [<span class="optional"> masterfile-format (<code class="constant">text</code>|<code class="constant">raw</code>) ; </span>]
     [<span class="optional"> empty-server <em class="replaceable"><code>name</code></em> ; </span>]
     [<span class="optional"> empty-contact <em class="replaceable"><code>name</code></em> ; </span>]
     [<span class="optional"> empty-zones-enable <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
     [<span class="optional"> disable-empty-zone <em class="replaceable"><code>zone_name</code></em> ; </span>]
     [<span class="optional"> zero-no-soa-ttl <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
     [<span class="optional"> zero-no-soa-ttl-cache <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
     [<span class="optional"> resolver-query-timeout <em class="replaceable"><code>number</code></em> ; </span>]
     [<span class="optional"> deny-answer-addresses { <em class="replaceable"><code>address_match_list</code></em> } [<span class="optional"> except-from { <em class="replaceable"><code>namelist</code></em> } </span>];</span>]
     [<span class="optional"> deny-answer-aliases { <em class="replaceable"><code>namelist</code></em> } [<span class="optional"> except-from { <em class="replaceable"><code>namelist</code></em> } </span>];</span>]
     [<span class="optional"> rate-limit {
         [<span class="optional"> responses-per-second <em class="replaceable"><code>number</code></em> ; </span>]
         [<span class="optional"> referrals-per-second <em class="replaceable"><code>number</code></em> ; </span>]
         [<span class="optional"> nodata-per-second <em class="replaceable"><code>number</code></em> ; </span>]
         [<span class="optional"> nxdomains-per-second <em class="replaceable"><code>number</code></em> ; </span>]
         [<span class="optional"> errors-per-second <em class="replaceable"><code>number</code></em> ; </span>]
         [<span class="optional"> all-per-second <em class="replaceable"><code>number</code></em> ; </span>]
         [<span class="optional"> window <em class="replaceable"><code>number</code></em> ; </span>]
         [<span class="optional"> log-only <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
         [<span class="optional"> qps-scale <em class="replaceable"><code>number</code></em> ; </span>]
         [<span class="optional"> ipv4-prefix-length <em class="replaceable"><code>number</code></em> ; </span>]
         [<span class="optional"> ipv6-prefix-length <em class="replaceable"><code>number</code></em> ; </span>]
         [<span class="optional"> slip <em class="replaceable"><code>number</code></em> ; </span>]
         [<span class="optional"> exempt-clients  { <em class="replaceable"><code>address_match_list</code></em> } ; </span>]
         [<span class="optional"> max-table-size <em class="replaceable"><code>number</code></em> ; </span>]
         [<span class="optional"> min-table-size <em class="replaceable"><code>number</code></em> ; </span>]
     } ; </span>]
     [<span class="optional"> response-policy {
         zone <em class="replaceable"><code>zone_name</code></em>
         [<span class="optional"> policy <em class="replaceable"><code>(given | disabled | passthru |
                   nxdomain | nodata | cname domain</code></em>) </span>]
         [<span class="optional"> recursive-only <em class="replaceable"><code>yes_or_no</code></em> </span>]
         [<span class="optional"> max-policy-ttl <em class="replaceable"><code>number</code></em> </span>]
         [<span class="optional"> break-dnssec <em class="replaceable"><code>yes_or_no</code></em> </span>]
         [<span class="optional"> min-ns-dots <em class="replaceable"><code>number</code></em> </span>]
         ; [<span class="optional">...</span>]
     } ; </span>]
 };
 </pre>
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="options"></a><span><strong class="command">options</strong></span> Statement Definition and
           Usage</h3></div></div></div>
 <p>
           The <span><strong class="command">options</strong></span> statement sets up global
           options
           to be used by <acronym class="acronym">BIND</acronym>. This statement
           may appear only
           once in a configuration file. If there is no <span><strong class="command">options</strong></span>
           statement, an options block with each option set to its default will
           be used.
         </p>
 <div class="variablelist"><dl>
 <dt><span class="term"><span><strong class="command">attach-cache</strong></span></span></dt>
 <dd>
 <p>
                   Allows multiple views to share a single cache
                   database.
                   Each view has its own cache database by default, but
                   if multiple views have the same operational policy
                   for name resolution and caching, those views can
                   share a single cache to save memory and possibly
                   improve resolution efficiency by using this option.
                 </p>
 <p>
                   The <span><strong class="command">attach-cache</strong></span> option
                   may also be specified in <span><strong class="command">view</strong></span>
                   statements, in which case it overrides the
                   global <span><strong class="command">attach-cache</strong></span> option.
                 </p>
 <p>
                   The <em class="replaceable"><code>cache_name</code></em> specifies
                   the cache to be shared.
                   When the <span><strong class="command">named</strong></span> server configures
                   views which are supposed to share a cache, it
                   creates a cache with the specified name for the
                   first view of these sharing views.
                   The rest of the views will simply refer to the
                   already created cache.
                 </p>
 <p>
                   One common configuration to share a cache would be to
                   allow all views to share a single cache.
                   This can be done by specifying
                   the <span><strong class="command">attach-cache</strong></span> as a global
                   option with an arbitrary name.
                 </p>
 <p>
                   Another possible operation is to allow a subset of
                   all views to share a cache while the others to
                   retain their own caches.
                   For example, if there are three views A, B, and C,
                   and only A and B should share a cache, specify the
                   <span><strong class="command">attach-cache</strong></span> option as a view A (or
                   B)'s option, referring to the other view name:
                 </p>
 <pre class="programlisting">
   view "A" {
     // this view has its own cache
     ...
   };
   view "B" {
     // this view refers to A's cache
     attach-cache "A";
   };
   view "C" {
     // this view has its own cache
     ...
   };
 </pre>
 <p>
                   Views that share a cache must have the same policy
                   on configurable parameters that may affect caching.
                   The current implementation requires the following
                   configurable options be consistent among these
                   views:
                   <span><strong class="command">check-names</strong></span>,
                   <span><strong class="command">cleaning-interval</strong></span>,
                   <span><strong class="command">dnssec-accept-expired</strong></span>,
                   <span><strong class="command">dnssec-validation</strong></span>,
                   <span><strong class="command">max-cache-ttl</strong></span>,
                   <span><strong class="command">max-ncache-ttl</strong></span>,
                   <span><strong class="command">max-cache-size</strong></span>, and
                   <span><strong class="command">zero-no-soa-ttl</strong></span>.
                 </p>
 <p>
                   Note that there may be other parameters that may
                   cause confusion if they are inconsistent for
                   different views that share a single cache.
                   For example, if these views define different sets of
                   forwarders that can return different answers for the
                   same question, sharing the answer does not make
                   sense or could even be harmful.
                   It is administrator's responsibility to ensure
                   configuration differences in different views do
                   not cause disruption with a shared cache.
                 </p>
 </dd>
 <dt><span class="term"><span><strong class="command">directory</strong></span></span></dt>
 <dd><p>
                 The working directory of the server.
                 Any non-absolute pathnames in the configuration file will be
                 taken
                 as relative to this directory. The default location for most
                 server
                 output files (e.g. <code class="filename">named.run</code>)
                 is this directory.
                 If a directory is not specified, the working directory
                 defaults to `<code class="filename">.</code>', the directory from
                 which the server
                 was started. The directory specified should be an absolute
                 path.
               </p></dd>
 <dt><span class="term"><span><strong class="command">key-directory</strong></span></span></dt>
 <dd><p>
                 When performing dynamic update of secure zones, the
                 directory where the public and private DNSSEC key files
                 should be found, if different than the current working
                 directory.  (Note that this option has no effect on the
                 paths for files containing non-DNSSEC keys such as
                 <code class="filename">bind.keys</code>,
                 <code class="filename">rndc.key</code> or
                 <code class="filename">session.key</code>.)
               </p></dd>
 <dt><span class="term"><span><strong class="command">managed-keys-directory</strong></span></span></dt>
 <dd>
 <p>
                 Specifies the directory in which to store the files that
                 track managed DNSSEC keys.  By default, this is the working
                 directory.
               </p>
 <p>
                 If <span><strong class="command">named</strong></span> is not configured to use views,
                 then managed keys for the server will be tracked in a single
                 file called <code class="filename">managed-keys.bind</code>.
                 Otherwise, managed keys will be tracked in separate files,
                 one file per view; each file name will be the SHA256 hash
                 of the view name, followed by the extension
                 <code class="filename">.mkeys</code>.
               </p>
 </dd>
 <dt><span class="term"><span><strong class="command">named-xfer</strong></span></span></dt>
 <dd><p>
                 <span class="emphasis"><em>This option is obsolete.</em></span> It
                 was used in <acronym class="acronym">BIND</acronym> 8 to specify
                 the pathname to the <span><strong class="command">named-xfer</strong></span>
                 program.  In <acronym class="acronym">BIND</acronym> 9, no separate
                 <span><strong class="command">named-xfer</strong></span> program is needed;
                 its functionality is built into the name server.
               </p></dd>
 <dt><span class="term"><span><strong class="command">tkey-gssapi-keytab</strong></span></span></dt>
 <dd><p>
                 The KRB5 keytab file to use for GSS-TSIG updates. If
                 this option is set and tkey-gssapi-credential is not
                 set, then updates will be allowed with any key
                 matching a principal in the specified keytab.
               </p></dd>
 <dt><span class="term"><span><strong class="command">tkey-gssapi-credential</strong></span></span></dt>
 <dd><p>
                 The security credential with which the server should
                 authenticate keys requested by the GSS-TSIG protocol.
                 Currently only Kerberos 5 authentication is available
                 and the credential is a Kerberos principal which the
                 server can acquire through the default system key
                 file, normally <code class="filename">/etc/krb5.keytab</code>.
                 The location keytab file can be overridden using the
                 tkey-gssapi-keytab option. Normally this principal is
                 of the form "<strong class="userinput"><code>DNS/</code></strong><code class="varname">server.domain</code>".
                 To use GSS-TSIG, <span><strong class="command">tkey-domain</strong></span> must
                 also be set if a specific keytab is not set with
                 tkey-gssapi-keytab.
               </p></dd>
 <dt><span class="term"><span><strong class="command">tkey-domain</strong></span></span></dt>
 <dd><p>
                 The domain appended to the names of all shared keys
                 generated with <span><strong class="command">TKEY</strong></span>.  When a
                 client requests a <span><strong class="command">TKEY</strong></span> exchange,
                 it may or may not specify the desired name for the
                 key. If present, the name of the shared key will
                 be <code class="varname">client specified part</code> +
                 <code class="varname">tkey-domain</code>.  Otherwise, the
                 name of the shared key will be <code class="varname">random hex
                 digits</code> + <code class="varname">tkey-domain</code>.
                 In most cases, the <span><strong class="command">domainname</strong></span>
                 should be the server's domain name, or an otherwise
                 non-existent subdomain like
                 "_tkey.<code class="varname">domainname</code>".  If you are
                 using GSS-TSIG, this variable must be defined, unless
                 you specify a specific keytab using tkey-gssapi-keytab.
               </p></dd>
 <dt><span class="term"><span><strong class="command">tkey-dhkey</strong></span></span></dt>
 <dd><p>
                 The Diffie-Hellman key used by the server
                 to generate shared keys with clients using the Diffie-Hellman
                 mode
                 of <span><strong class="command">TKEY</strong></span>. The server must be
                 able to load the
                 public and private keys from files in the working directory.
                 In
                 most cases, the keyname should be the server's host name.
               </p></dd>
 <dt><span class="term"><span><strong class="command">cache-file</strong></span></span></dt>
 <dd><p>
                 This is for testing only.  Do not use.
               </p></dd>
 <dt><span class="term"><span><strong class="command">dump-file</strong></span></span></dt>
 <dd><p>
                 The pathname of the file the server dumps
                 the database to when instructed to do so with
                 <span><strong class="command">rndc dumpdb</strong></span>.
                 If not specified, the default is <code class="filename">named_dump.db</code>.
               </p></dd>
 <dt><span class="term"><span><strong class="command">memstatistics-file</strong></span></span></dt>
 <dd><p>
                 The pathname of the file the server writes memory
                 usage statistics to on exit. If not specified,
                 the default is <code class="filename">named.memstats</code>.
               </p></dd>
 <dt><span class="term"><span><strong class="command">pid-file</strong></span></span></dt>
 <dd><p>
                 The pathname of the file the server writes its process ID
                 in. If not specified, the default is
                 <code class="filename">/var/run/named/named.pid</code>.
                 The PID file is used by programs that want to send signals to
                 the running
                 name server. Specifying <span><strong class="command">pid-file none</strong></span> disables the
                 use of a PID file &#8212; no file will be written and any
                 existing one will be removed.  Note that <span><strong class="command">none</strong></span>
                 is a keyword, not a filename, and therefore is not enclosed
                 in
                 double quotes.
               </p></dd>
 <dt><span class="term"><span><strong class="command">recursing-file</strong></span></span></dt>
 <dd><p>
                 The pathname of the file the server dumps
                 the queries that are currently recursing when instructed
                 to do so with <span><strong class="command">rndc recursing</strong></span>.
                 If not specified, the default is <code class="filename">named.recursing</code>.
               </p></dd>
 <dt><span class="term"><span><strong class="command">statistics-file</strong></span></span></dt>
 <dd><p>
                 The pathname of the file the server appends statistics
                 to when instructed to do so using <span><strong class="command">rndc stats</strong></span>.
                 If not specified, the default is <code class="filename">named.stats</code> in the
                 server's current directory.  The format of the file is
                 described
                 in <a href="Bv9ARM.ch06.html#statsfile" title="The Statistics File">the section called &#8220;The Statistics File&#8221;</a>.
               </p></dd>
 <dt><span class="term"><span><strong class="command">bindkeys-file</strong></span></span></dt>
 <dd><p>
                 The pathname of a file to override the built-in trusted
                 keys provided by <span><strong class="command">named</strong></span>.
                 See the discussion of <span><strong class="command">dnssec-lookaside</strong></span>
                 and <span><strong class="command">dnssec-validation</strong></span> for details. 
                 If not specified, the default is
                 <code class="filename">/etc/bind.keys</code>.
               </p></dd>
 <dt><span class="term"><span><strong class="command">secroots-file</strong></span></span></dt>
 <dd><p>
                 The pathname of the file the server dumps
                 security roots to when instructed to do so with
                 <span><strong class="command">rndc secroots</strong></span>.
                 If not specified, the default is
                 <code class="filename">named.secroots</code>.
               </p></dd>
 <dt><span class="term"><span><strong class="command">session-keyfile</strong></span></span></dt>
 <dd><p>
                 The pathname of the file into which to write a TSIG
                 session key generated by <span><strong class="command">named</strong></span> for use by
                 <span><strong class="command">nsupdate -l</strong></span>.  If not specified, the
                 default is <code class="filename">/var/run/named/session.key</code>.
                 (See <a href="Bv9ARM.ch06.html#dynamic_update_policies" title="Dynamic Update Policies">the section called &#8220;Dynamic Update Policies&#8221;</a>, and in
                 particular the discussion of the
                 <span><strong class="command">update-policy</strong></span> statement's
                 <strong class="userinput"><code>local</code></strong> option for more
                 information about this feature.)
               </p></dd>
 <dt><span class="term"><span><strong class="command">session-keyname</strong></span></span></dt>
 <dd><p>
                 The key name to use for the TSIG session key.
                 If not specified, the default is "local-ddns".
               </p></dd>
 <dt><span class="term"><span><strong class="command">session-keyalg</strong></span></span></dt>
 <dd><p>
                 The algorithm to use for the TSIG session key.
                 Valid values are hmac-sha1, hmac-sha224, hmac-sha256,
                 hmac-sha384, hmac-sha512 and hmac-md5.  If not
                 specified, the default is hmac-sha256.
               </p></dd>
 <dt><span class="term"><span><strong class="command">port</strong></span></span></dt>
 <dd><p>
                 The UDP/TCP port number the server uses for
                 receiving and sending DNS protocol traffic.
                 The default is 53.  This option is mainly intended for server
                 testing;
                 a server using a port other than 53 will not be able to
                 communicate with
                 the global DNS.
               </p></dd>
 <dt><span class="term"><span><strong class="command">random-device</strong></span></span></dt>
 <dd><p>
                 The source of entropy to be used by the server.  Entropy is
                 primarily needed
                 for DNSSEC operations, such as TKEY transactions and dynamic
                 update of signed
                 zones.  This options specifies the device (or file) from which
                 to read
                 entropy.  If this is a file, operations requiring entropy will
                 fail when the
                 file has been exhausted.  If not specified, the default value
                 is
                 <code class="filename">/dev/random</code>
                 (or equivalent) when present, and none otherwise.  The
                 <span><strong class="command">random-device</strong></span> option takes
                 effect during
                 the initial configuration load at server startup time and
                 is ignored on subsequent reloads.
               </p></dd>
 <dt><span class="term"><span><strong class="command">preferred-glue</strong></span></span></dt>
 <dd><p>
                 If specified, the listed type (A or AAAA) will be emitted
                 before other glue
                 in the additional section of a query response.
                 The default is not to prefer any type (NONE).
               </p></dd>
 <dt>
 <a name="root_delegation_only"></a><span class="term"><span><strong class="command">root-delegation-only</strong></span></span>
 </dt>
 <dd>
 <p>
                 Turn on enforcement of delegation-only in TLDs
                 (top level domains) and root zones with an optional
                 exclude list.
               </p>
 <p>
                 DS queries are expected to be made to and be answered by
                 delegation only zones.  Such queries and responses are
                 treated as an exception to delegation-only processing
                 and are not converted to NXDOMAIN responses provided
                 a CNAME is not discovered at the query name.
               </p>
 <p>
                 If a delegation only zone server also serves a child
                 zone it is not always possible to determine whether
                 an answer comes from the delegation only zone or the
                 child zone.  SOA NS and DNSKEY records are apex
                 only records and a matching response that contains
                 these records or DS is treated as coming from a
                 child zone.  RRSIG records are also examined to see
                 if they are signed by a child zone or not.  The
                 authority section is also examined to see if there
                 is evidence that the answer is from the child zone.
                 Answers that are determined to be from a child zone
                 are not converted to NXDOMAIN responses.  Despite
                 all these checks there is still a possibility of
                 false negatives when a child zone is being served.
               </p>
 <p>
                 Similarly false positives can arise from empty nodes
                 (no records at the name) in the delegation only zone
                 when the query type is not ANY.
               </p>
 <p>
                 Note some TLDs are not delegation only (e.g. "DE", "LV",
                 "US" and "MUSEUM").  This list is not exhaustive.
               </p>
 <pre class="programlisting">
 options {
         root-delegation-only exclude { "de"; "lv"; "us"; "museum"; };
 };
 </pre>
 </dd>
 <dt><span class="term"><span><strong class="command">disable-algorithms</strong></span></span></dt>
 <dd><p>
                 Disable the specified DNSSEC algorithms at and below the
                 specified name.
                 Multiple <span><strong class="command">disable-algorithms</strong></span>
                 statements are allowed.
                 Only the most specific will be applied.
               </p></dd>
 <dt><span class="term"><span><strong class="command">dnssec-lookaside</strong></span></span></dt>
 <dd>
 <p>
                 When set, <span><strong class="command">dnssec-lookaside</strong></span> provides the
                 validator with an alternate method to validate DNSKEY
                 records at the top of a zone.  When a DNSKEY is at or
                 below a domain specified by the deepest
                 <span><strong class="command">dnssec-lookaside</strong></span>, and the normal DNSSEC
                 validation has left the key untrusted, the trust-anchor
                 will be appended to the key name and a DLV record will be
                 looked up to see if it can validate the key.  If the DLV
                 record validates a DNSKEY (similarly to the way a DS
                 record does) the DNSKEY RRset is deemed to be trusted.
               </p>
 <p>
                 If <span><strong class="command">dnssec-lookaside</strong></span> is set to
                 <strong class="userinput"><code>auto</code></strong>, then built-in default
                 values for the DLV domain and trust anchor will be
                 used, along with a built-in key for validation.
               </p>
 <p>
                 If <span><strong class="command">dnssec-lookaside</strong></span> is set to
                 <strong class="userinput"><code>no</code></strong>, then dnssec-lookaside
                 is not used.
               </p>
 <p>
                 The default DLV key is stored in the file
                 <code class="filename">bind.keys</code>;
                 <span><strong class="command">named</strong></span> will load that key at
                 startup if <span><strong class="command">dnssec-lookaside</strong></span> is set to
                 <code class="constant">auto</code>.  A copy of the file is
                 installed along with <acronym class="acronym">BIND</acronym> 9, and is
                 current as of the release date.  If the DLV key expires, a
                 new copy of <code class="filename">bind.keys</code> can be downloaded
                 from <a href="https://www.isc.org/solutions/dlv/" target="_top">https://www.isc.org/solutions/dlv/</a>.
               </p>
 <p>
                 (To prevent problems if <code class="filename">bind.keys</code> is
                 not found, the current key is also compiled in to
                 <span><strong class="command">named</strong></span>.  Relying on this is not
                 recommended, however, as it requires <span><strong class="command">named</strong></span>
                 to be recompiled with a new key when the DLV key expires.)
               </p>
 <p>
                 NOTE: <span><strong class="command">named</strong></span> only loads certain specific
                 keys from <code class="filename">bind.keys</code>:  those for the
                 DLV zone and for the DNS root zone.  The file cannot be
                 used to store keys for other zones.
               </p>
 </dd>
 <dt><span class="term"><span><strong class="command">dnssec-must-be-secure</strong></span></span></dt>
 <dd><p>
                 Specify hierarchies which must be or may not be secure
                 (signed and validated).  If <strong class="userinput"><code>yes</code></strong>,
                 then <span><strong class="command">named</strong></span> will only accept answers if
                 they are secure.  If <strong class="userinput"><code>no</code></strong>, then normal
                 DNSSEC validation applies allowing for insecure answers to
                 be accepted.  The specified domain must be under a
                 <span><strong class="command">trusted-keys</strong></span> or
                 <span><strong class="command">managed-keys</strong></span> statement, or
                 <span><strong class="command">dnssec-lookaside</strong></span> must be active.
               </p></dd>
 <dt><span class="term"><span><strong class="command">dns64</strong></span></span></dt>
 <dd>
 <p>
                 This directive instructs <span><strong class="command">named</strong></span> to
                 return mapped IPv4 addresses to AAAA queries when
                 there are no AAAA records.  It is intended to be
                 used in conjunction with a NAT64.  Each
                 <span><strong class="command">dns64</strong></span> defines one DNS64 prefix.
                 Multiple DNS64 prefixes can be defined.
               </p>
 <p>
                 Compatible IPv6 prefixes have lengths of 32, 40, 48, 56,
                 64 and 96 as per RFC 6052.
               </p>
 <p>
                 Additionally a reverse IP6.ARPA zone will be created for
                 the prefix to provide a mapping from the IP6.ARPA names
                 to the corresponding IN-ADDR.ARPA names using synthesized
                 CNAMEs.  <span><strong class="command">dns64-server</strong></span> and
                 <span><strong class="command">dns64-contact</strong></span> can be used to specify
                 the name of the server and contact for the zones. These
                 are settable at the view / options level.  These are
                 not settable on a per-prefix basis.
               </p>
 <p>
                 Each <span><strong class="command">dns64</strong></span> supports an optional
                 <span><strong class="command">clients</strong></span> ACL that determines which
                 clients are affected by this directive.  If not defined,
                 it defaults to <strong class="userinput"><code>any;</code></strong>.
               </p>
 <p>
                 Each <span><strong class="command">dns64</strong></span> supports an optional
                 <span><strong class="command">mapped</strong></span> ACL that selects which
                 IPv4 addresses are to be mapped in the corresponding    
                 A RRset.  If not defined it defaults to
                 <strong class="userinput"><code>any;</code></strong>.
               </p>
 <p>
                 Normally, DNS64 won't apply to a domain name that
                 owns one or more AAAA records; these records will
                 simply be returned.  The optional
                 <span><strong class="command">exclude</strong></span> ACL allows specification
                 of a list of IPv6 addresses that will be ignored
                 if they appear in a domain name's AAAA records, and
                 DNS64 will be applied to any A records the domain
                 name owns.  If not defined, <span><strong class="command">exclude</strong></span>
                 defaults to none.
               </p>
 <p>
                 A optional <span><strong class="command">suffix</strong></span> can also
                 be defined to set the bits trailing the mapped
                 IPv4 address bits.  By default these bits are
                 set to <strong class="userinput"><code>::</code></strong>.  The bits
                 matching the prefix and mapped IPv4 address
                 must be zero.
               </p>
 <p>
                 If <span><strong class="command">recursive-only</strong></span> is set to
                 <span><strong class="command">yes</strong></span> the DNS64 synthesis will
                 only happen for recursive queries.  The default
                 is <span><strong class="command">no</strong></span>.
               </p>
 <p>
                 If <span><strong class="command">break-dnssec</strong></span> is set to
                 <span><strong class="command">yes</strong></span> the DNS64 synthesis will
                 happen even if the result, if validated, would
                 cause a DNSSEC validation failure.  If this option
                 is set to <span><strong class="command">no</strong></span> (the default), the DO
                 is set on the incoming query, and there are RRSIGs on
                 the applicable records, then synthesis will not happen.
               </p>
 <pre class="programlisting">
         acl rfc1918 { 10/8; 192.168/16; 172.16/12; };
 
         dns64 64:FF9B::/96 {
                 clients { any; };
                 mapped { !rfc1918; any; };
                 exclude { 64:FF9B::/96; ::ffff:0000:0000/96; };
                 suffix ::;
         };
 </pre>
 </dd>
 <dt><span class="term"><span><strong class="command">dnssec-update-mode</strong></span></span></dt>
 <dd>
 <p>
                   If this option is set to its default value of
                   <code class="literal">maintain</code> in a zone of type
                   <code class="literal">master</code> which is DNSSEC-signed
                   and configured to allow dynamic updates (see
                   <a href="Bv9ARM.ch06.html#dynamic_update_policies" title="Dynamic Update Policies">the section called &#8220;Dynamic Update Policies&#8221;</a>), and
                   if <span><strong class="command">named</strong></span> has access to the
                   private signing key(s) for the zone, then
                   <span><strong class="command">named</strong></span> will automatically sign all new
                   or changed records and maintain signatures for the zone
                   by regenerating RRSIG records whenever they approach
                   their expiration date.
                 </p>
 <p>
                   If the option is changed to <code class="literal">no-resign</code>,
                   then <span><strong class="command">named</strong></span> will sign all new or
                   changed records, but scheduled maintenance of
                   signatures is disabled.
                 </p>
 <p>
                   With either of these settings, <span><strong class="command">named</strong></span>
                   will reject updates to a DNSSEC-signed zone when the
                   signing keys are inactive or unavailable to
                   <span><strong class="command">named</strong></span>.  (A planned third option,
                   <code class="literal">external</code>, will disable all automatic
                   signing and allow DNSSEC data to be submitted into a zone
                   via dynamic update; this is not yet implemented.)
                 </p>
 </dd>
 <dt><span class="term"><span><strong class="command">zone-statistics</strong></span></span></dt>
 <dd>
 <p>
                 If <strong class="userinput"><code>full</code></strong>, the server will collect
                 statistical data on all zones (unless specifically
                 turned off on a per-zone basis by specifying
                 <span><strong class="command">zone-statistics terse</strong></span> or
                 <span><strong class="command">zone-statistics none</strong></span>
                 in the <span><strong class="command">zone</strong></span> statement).
                 The default is <strong class="userinput"><code>terse</code></strong>, providing
                 minimal statistics on zones (including name and
                 current serial number, but not query type
                 counters).
               </p>
 <p>
                 These statistics may be accessed via the
                 <span><strong class="command">statistics-channel</strong></span> or
                 using <span><strong class="command">rndc stats</strong></span>, which
                 will dump them to the file listed
                 in the <span><strong class="command">statistics-file</strong></span>.  See
                 also <a href="Bv9ARM.ch06.html#statsfile" title="The Statistics File">the section called &#8220;The Statistics File&#8221;</a>.
               </p>
 <p>
                 For backward compatibility with earlier versions
                 of BIND 9, the <span><strong class="command">zone-statistics</strong></span>
                 option can also accept <strong class="userinput"><code>yes</code></strong>
                 or <strong class="userinput"><code>no</code></strong>, which have the same
                 effect as <strong class="userinput"><code>full</code></strong> and
                 <strong class="userinput"><code>terse</code></strong>, respectively.
               </p>
 </dd>
 </dl></div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="boolean_options"></a>Boolean Options</h4></div></div></div>
 <div class="variablelist"><dl>
 <dt><span class="term"><span><strong class="command">allow-new-zones</strong></span></span></dt>
 <dd><p>
                   If <strong class="userinput"><code>yes</code></strong>, then zones can be
                   added at runtime via <span><strong class="command">rndc addzone</strong></span>
                   or deleted via <span><strong class="command">rndc delzone</strong></span>.
                   The default is <strong class="userinput"><code>no</code></strong>.
                 </p></dd>
 <dt><span class="term"><span><strong class="command">auth-nxdomain</strong></span></span></dt>
 <dd><p>
                   If <strong class="userinput"><code>yes</code></strong>, then the <span><strong class="command">AA</strong></span> bit
                   is always set on NXDOMAIN responses, even if the server is
                   not actually
                   authoritative. The default is <strong class="userinput"><code>no</code></strong>;
                   this is
                   a change from <acronym class="acronym">BIND</acronym> 8. If you
                   are using very old DNS software, you
                   may need to set it to <strong class="userinput"><code>yes</code></strong>.
                 </p></dd>
 <dt><span class="term"><span><strong class="command">deallocate-on-exit</strong></span></span></dt>
 <dd><p>
                   This option was used in <acronym class="acronym">BIND</acronym>
                   8 to enable checking
                   for memory leaks on exit. <acronym class="acronym">BIND</acronym> 9 ignores the option and always performs
                   the checks.
                 </p></dd>
 <dt><span class="term"><span><strong class="command">memstatistics</strong></span></span></dt>
 <dd><p>
                   Write memory statistics to the file specified by
                   <span><strong class="command">memstatistics-file</strong></span> at exit.
                   The default is <strong class="userinput"><code>no</code></strong> unless
                   '-m record' is specified on the command line in
                   which case it is <strong class="userinput"><code>yes</code></strong>.
                 </p></dd>
 <dt><span class="term"><span><strong class="command">dialup</strong></span></span></dt>
 <dd>
 <p>
                   If <strong class="userinput"><code>yes</code></strong>, then the
                   server treats all zones as if they are doing zone transfers
                   across
                   a dial-on-demand dialup link, which can be brought up by
                   traffic
                   originating from this server. This has different effects
                   according
                   to zone type and concentrates the zone maintenance so that
                   it all
                   happens in a short interval, once every <span><strong class="command">heartbeat-interval</strong></span> and
                   hopefully during the one call. It also suppresses some of
                   the normal
                   zone maintenance traffic. The default is <strong class="userinput"><code>no</code></strong>.
                 </p>
 <p>
                   The <span><strong class="command">dialup</strong></span> option
                   may also be specified in the <span><strong class="command">view</strong></span> and
                   <span><strong class="command">zone</strong></span> statements,
                   in which case it overrides the global <span><strong class="command">dialup</strong></span>
                   option.
                 </p>
 <p>
                   If the zone is a master zone, then the server will send out a
                   NOTIFY
                   request to all the slaves (default). This should trigger the
                   zone serial
                   number check in the slave (providing it supports NOTIFY)
                   allowing the slave
                   to verify the zone while the connection is active.
                   The set of servers to which NOTIFY is sent can be controlled
                   by
                   <span><strong class="command">notify</strong></span> and <span><strong class="command">also-notify</strong></span>.
                 </p>
 <p>
                   If the
                   zone is a slave or stub zone, then the server will suppress
                   the regular
                   "zone up to date" (refresh) queries and only perform them
                   when the
                   <span><strong class="command">heartbeat-interval</strong></span> expires in
                   addition to sending
                   NOTIFY requests.
                 </p>
 <p>
                   Finer control can be achieved by using
                   <strong class="userinput"><code>notify</code></strong> which only sends NOTIFY
                   messages,
                   <strong class="userinput"><code>notify-passive</code></strong> which sends NOTIFY
                   messages and
                   suppresses the normal refresh queries, <strong class="userinput"><code>refresh</code></strong>
                   which suppresses normal refresh processing and sends refresh
                   queries
                   when the <span><strong class="command">heartbeat-interval</strong></span>
                   expires, and
                   <strong class="userinput"><code>passive</code></strong> which just disables normal
                   refresh
                   processing.
                 </p>
 <div class="informaltable"><table border="1">
 <colgroup>
 <col>
 <col>
 <col>
 <col>
 </colgroup>
 <tbody>
 <tr>
 <td>
                           <p>
                             dialup mode
                           </p>
                         </td>
 <td>
                           <p>
                             normal refresh
                           </p>
                         </td>
 <td>
                           <p>
                             heart-beat refresh
                           </p>
                         </td>
 <td>
                           <p>
                             heart-beat notify
                           </p>
                         </td>
 </tr>
 <tr>
 <td>
                           <p><span><strong class="command">no</strong></span> (default)</p>
                         </td>
 <td>
                           <p>
                             yes
                           </p>
                         </td>
 <td>
                           <p>
                             no
                           </p>
                         </td>
 <td>
                           <p>
                             no
                           </p>
                         </td>
 </tr>
 <tr>
 <td>
                           <p><span><strong class="command">yes</strong></span></p>
                         </td>
 <td>
                           <p>
                             no
                           </p>
                         </td>
 <td>
                           <p>
                             yes
                           </p>
                         </td>
 <td>
                           <p>
                             yes
                           </p>
                         </td>
 </tr>
 <tr>
 <td>
                           <p><span><strong class="command">notify</strong></span></p>
                         </td>
 <td>
                           <p>
                             yes
                           </p>
                         </td>
 <td>
                           <p>
                             no
                           </p>
                         </td>
 <td>
                           <p>
                             yes
                           </p>
                         </td>
 </tr>
 <tr>
 <td>
                           <p><span><strong class="command">refresh</strong></span></p>
                         </td>
 <td>
                           <p>
                             no
                           </p>
                         </td>
 <td>
                           <p>
                             yes
                           </p>
                         </td>
 <td>
                           <p>
                             no
                           </p>
                         </td>
 </tr>
 <tr>
 <td>
                           <p><span><strong class="command">passive</strong></span></p>
                         </td>
 <td>
                           <p>
                             no
                           </p>
                         </td>
 <td>
                           <p>
                             no
                           </p>
                         </td>
 <td>
                           <p>
                             no
                           </p>
                         </td>
 </tr>
 <tr>
 <td>
                           <p><span><strong class="command">notify-passive</strong></span></p>
                         </td>
 <td>
                           <p>
                             no
                           </p>
                         </td>
 <td>
                           <p>
                             no
                           </p>
                         </td>
 <td>
                           <p>
                             yes
                           </p>
                         </td>
 </tr>
 </tbody>
 </table></div>
 <p>
                   Note that normal NOTIFY processing is not affected by
                   <span><strong class="command">dialup</strong></span>.
                 </p>
 </dd>
 <dt><span class="term"><span><strong class="command">fake-iquery</strong></span></span></dt>
 <dd><p>
                   In <acronym class="acronym">BIND</acronym> 8, this option
                   enabled simulating the obsolete DNS query type
                   IQUERY. <acronym class="acronym">BIND</acronym> 9 never does
                   IQUERY simulation.
                 </p></dd>
 <dt><span class="term"><span><strong class="command">fetch-glue</strong></span></span></dt>
 <dd><p>
                   This option is obsolete.
                   In BIND 8, <strong class="userinput"><code>fetch-glue yes</code></strong>
                   caused the server to attempt to fetch glue resource records
                   it
                   didn't have when constructing the additional
                   data section of a response.  This is now considered a bad
                   idea
                   and BIND 9 never does it.
                 </p></dd>
 <dt><span class="term"><span><strong class="command">flush-zones-on-shutdown</strong></span></span></dt>
 <dd><p>
                   When the nameserver exits due receiving SIGTERM,
                   flush or do not flush any pending zone writes.  The default
                   is
                   <span><strong class="command">flush-zones-on-shutdown</strong></span> <strong class="userinput"><code>no</code></strong>.
                 </p></dd>
 <dt><span class="term"><span><strong class="command">has-old-clients</strong></span></span></dt>
 <dd><p>
                   This option was incorrectly implemented
                   in <acronym class="acronym">BIND</acronym> 8, and is ignored by <acronym class="acronym">BIND</acronym> 9.
                   To achieve the intended effect
                   of
                   <span><strong class="command">has-old-clients</strong></span> <strong class="userinput"><code>yes</code></strong>, specify
                   the two separate options <span><strong class="command">auth-nxdomain</strong></span> <strong class="userinput"><code>yes</code></strong>
                   and <span><strong class="command">rfc2308-type1</strong></span> <strong class="userinput"><code>no</code></strong> instead.
                 </p></dd>
 <dt><span class="term"><span><strong class="command">host-statistics</strong></span></span></dt>
 <dd><p>
                   In BIND 8, this enables keeping of
                   statistics for every host that the name server interacts
                   with.
                   Not implemented in BIND 9.
                 </p></dd>
 <dt><span class="term"><span><strong class="command">maintain-ixfr-base</strong></span></span></dt>
 <dd><p>
                   <span class="emphasis"><em>This option is obsolete</em></span>.
                   It was used in <acronym class="acronym">BIND</acronym> 8 to
                   determine whether a transaction log was
                   kept for Incremental Zone Transfer. <acronym class="acronym">BIND</acronym> 9 maintains a transaction
                   log whenever possible.  If you need to disable outgoing
                   incremental zone
                   transfers, use <span><strong class="command">provide-ixfr</strong></span> <strong class="userinput"><code>no</code></strong>.
                 </p></dd>
 <dt><span class="term"><span><strong class="command">minimal-responses</strong></span></span></dt>
 <dd><p>
                   If <strong class="userinput"><code>yes</code></strong>, then when generating
                   responses the server will only add records to the authority
                   and additional data sections when they are required (e.g.
                   delegations, negative responses).  This may improve the
                   performance of the server.
                   The default is <strong class="userinput"><code>no</code></strong>.
                 </p></dd>
 <dt><span class="term"><span><strong class="command">multiple-cnames</strong></span></span></dt>
 <dd><p>
                   This option was used in <acronym class="acronym">BIND</acronym> 8 to allow
                   a domain name to have multiple CNAME records in violation of
                   the DNS standards.  <acronym class="acronym">BIND</acronym> 9.2 onwards
                   always strictly enforces the CNAME rules both in master
                   files and dynamic updates.
                 </p></dd>
 <dt><span class="term"><span><strong class="command">notify</strong></span></span></dt>
 <dd>
 <p>
                   If <strong class="userinput"><code>yes</code></strong> (the default),
                   DNS NOTIFY messages are sent when a zone the server is
                   authoritative for
                   changes, see <a href="Bv9ARM.ch04.html#notify" title="Notify">the section called &#8220;Notify&#8221;</a>.  The messages are
                   sent to the
                   servers listed in the zone's NS records (except the master
                   server identified
                   in the SOA MNAME field), and to any servers listed in the
                   <span><strong class="command">also-notify</strong></span> option.
                 </p>
 <p>
                   If <strong class="userinput"><code>master-only</code></strong>, notifies are only
                   sent
                   for master zones.
                   If <strong class="userinput"><code>explicit</code></strong>, notifies are sent only
                   to
                   servers explicitly listed using <span><strong class="command">also-notify</strong></span>.
                   If <strong class="userinput"><code>no</code></strong>, no notifies are sent.
                 </p>
 <p>
                   The <span><strong class="command">notify</strong></span> option may also be
                   specified in the <span><strong class="command">zone</strong></span>
                   statement,
                   in which case it overrides the <span><strong class="command">options notify</strong></span> statement.
                   It would only be necessary to turn off this option if it
                   caused slaves
                   to crash.
                 </p>
 </dd>
 <dt><span class="term"><span><strong class="command">notify-to-soa</strong></span></span></dt>
 <dd><p>
                   If <strong class="userinput"><code>yes</code></strong> do not check the nameservers
                   in the NS RRset against the SOA MNAME.  Normally a NOTIFY
                   message is not sent to the SOA MNAME (SOA ORIGIN) as it is
                   supposed to contain the name of the ultimate master.
                   Sometimes, however, a slave is listed as the SOA MNAME in
                   hidden master configurations and in that case you would
                   want the ultimate master to still send NOTIFY messages to
                   all the nameservers listed in the NS RRset.
                 </p></dd>
 <dt><span class="term"><span><strong class="command">recursion</strong></span></span></dt>
 <dd><p>
                   If <strong class="userinput"><code>yes</code></strong>, and a
                   DNS query requests recursion, then the server will attempt
                   to do
                   all the work required to answer the query. If recursion is
                   off
                   and the server does not already know the answer, it will
                   return a
                   referral response. The default is
                   <strong class="userinput"><code>yes</code></strong>.
                   Note that setting <span><strong class="command">recursion no</strong></span> does not prevent
                   clients from getting data from the server's cache; it only
                   prevents new data from being cached as an effect of client
                   queries.
                   Caching may still occur as an effect the server's internal
                   operation, such as NOTIFY address lookups.
                   See also <span><strong class="command">fetch-glue</strong></span> above.
                 </p></dd>
 <dt><span class="term"><span><strong class="command">request-nsid</strong></span></span></dt>
 <dd><p>
                   If <strong class="userinput"><code>yes</code></strong>, then an empty EDNS(0)
                   NSID (Name Server Identifier) option is sent with all 
                   queries to authoritative name servers during iterative
                   resolution. If the authoritative server returns an NSID
                   option in its response, then its contents are logged in
                   the <span><strong class="command">resolver</strong></span> category at level
                   <span><strong class="command">info</strong></span>.
                   The default is <strong class="userinput"><code>no</code></strong>.
                 </p></dd>
 <dt><span class="term"><span><strong class="command">rfc2308-type1</strong></span></span></dt>
 <dd>
 <p>
                   Setting this to <strong class="userinput"><code>yes</code></strong> will
                   cause the server to send NS records along with the SOA
                   record for negative
                   answers. The default is <strong class="userinput"><code>no</code></strong>.
                 </p>
 <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
 <h3 class="title">Note</h3>
 <p>
                     Not yet implemented in <acronym class="acronym">BIND</acronym>
                     9.
                   </p>
 </div>
 </dd>
 <dt><span class="term"><span><strong class="command">use-id-pool</strong></span></span></dt>
 <dd><p>
                   <span class="emphasis"><em>This option is obsolete</em></span>.
                   <acronym class="acronym">BIND</acronym> 9 always allocates query
                   IDs from a pool.
                 </p></dd>
 <dt><span class="term"><span><strong class="command">use-ixfr</strong></span></span></dt>
 <dd><p>
                   <span class="emphasis"><em>This option is obsolete</em></span>.
                   If you need to disable IXFR to a particular server or
                   servers, see
                   the information on the <span><strong class="command">provide-ixfr</strong></span> option
                   in <a href="Bv9ARM.ch06.html#server_statement_definition_and_usage" title="server Statement Definition and
             Usage">the section called &#8220;<span><strong class="command">server</strong></span> Statement Definition and
             Usage&#8221;</a>.
                   See also
                   <a href="Bv9ARM.ch04.html#incremental_zone_transfers" title="Incremental Zone Transfers (IXFR)">the section called &#8220;Incremental Zone Transfers (IXFR)&#8221;</a>.
                 </p></dd>
 <dt><span class="term"><span><strong class="command">provide-ixfr</strong></span></span></dt>
 <dd><p>
                   See the description of
                   <span><strong class="command">provide-ixfr</strong></span> in
                   <a href="Bv9ARM.ch06.html#server_statement_definition_and_usage" title="server Statement Definition and
             Usage">the section called &#8220;<span><strong class="command">server</strong></span> Statement Definition and
             Usage&#8221;</a>.
                 </p></dd>
 <dt><span class="term"><span><strong class="command">request-ixfr</strong></span></span></dt>
 <dd><p>
                   See the description of
                   <span><strong class="command">request-ixfr</strong></span> in
                   <a href="Bv9ARM.ch06.html#server_statement_definition_and_usage" title="server Statement Definition and
             Usage">the section called &#8220;<span><strong class="command">server</strong></span> Statement Definition and
             Usage&#8221;</a>.
                 </p></dd>
 <dt><span class="term"><span><strong class="command">treat-cr-as-space</strong></span></span></dt>
 <dd><p>
                   This option was used in <acronym class="acronym">BIND</acronym>
                   8 to make
                   the server treat carriage return ("<span><strong class="command">\r</strong></span>") characters the same way
                   as a space or tab character,
                   to facilitate loading of zone files on a UNIX system that
                   were generated
                   on an NT or DOS machine. In <acronym class="acronym">BIND</acronym> 9, both UNIX "<span><strong class="command">\n</strong></span>"
                   and NT/DOS "<span><strong class="command">\r\n</strong></span>" newlines
                   are always accepted,
                   and the option is ignored.
                 </p></dd>
 <dt>
 <span class="term"><span><strong class="command">additional-from-auth</strong></span>, </span><span class="term"><span><strong class="command">additional-from-cache</strong></span></span>
 </dt>
 <dd>
 <p>
                   These options control the behavior of an authoritative
                   server when
                   answering queries which have additional data, or when
                   following CNAME
                   and DNAME chains.
                 </p>
 <p>
                   When both of these options are set to <strong class="userinput"><code>yes</code></strong>
                   (the default) and a
                   query is being answered from authoritative data (a zone
                   configured into the server), the additional data section of
                   the
                   reply will be filled in using data from other authoritative
                   zones
                   and from the cache.  In some situations this is undesirable,
                   such
                   as when there is concern over the correctness of the cache,
                   or
                   in servers where slave zones may be added and modified by
                   untrusted third parties.  Also, avoiding
                   the search for this additional data will speed up server
                   operations
                   at the possible expense of additional queries to resolve
                   what would
                   otherwise be provided in the additional section.
                 </p>
 <p>
                   For example, if a query asks for an MX record for host <code class="literal">foo.example.com</code>,
                   and the record found is "<code class="literal">MX 10 mail.example.net</code>", normally the address
                   records (A and AAAA) for <code class="literal">mail.example.net</code> will be provided as well,
                   if known, even though they are not in the example.com zone.
                   Setting these options to <span><strong class="command">no</strong></span>
                   disables this behavior and makes
                   the server only search for additional data in the zone it
                   answers from.
                 </p>
 <p>
                   These options are intended for use in authoritative-only
                   servers, or in authoritative-only views.  Attempts to set
                   them to <span><strong class="command">no</strong></span> without also
                   specifying
                   <span><strong class="command">recursion no</strong></span> will cause the
                   server to
                   ignore the options and log a warning message.
                 </p>
 <p>
                   Specifying <span><strong class="command">additional-from-cache no</strong></span> actually
                   disables the use of the cache not only for additional data
                   lookups
                   but also when looking up the answer.  This is usually the
                   desired
                   behavior in an authoritative-only server where the
                   correctness of
                   the cached data is an issue.
                 </p>
 <p>
                   When a name server is non-recursively queried for a name
                   that is not
                   below the apex of any served zone, it normally answers with
                   an
                   "upwards referral" to the root servers or the servers of
                   some other
                   known parent of the query name.  Since the data in an
                   upwards referral
                   comes from the cache, the server will not be able to provide
                   upwards
                   referrals when <span><strong class="command">additional-from-cache no</strong></span>
                   has been specified.  Instead, it will respond to such
                   queries
                   with REFUSED.  This should not cause any problems since
                   upwards referrals are not required for the resolution
                   process.
                 </p>
 </dd>
 <dt><span class="term"><span><strong class="command">match-mapped-addresses</strong></span></span></dt>
 <dd>
 <p>
                   If <strong class="userinput"><code>yes</code></strong>, then an
                   IPv4-mapped IPv6 address will match any address match
                   list entries that match the corresponding IPv4 address.
                 </p>
 <p>
                   This option was introduced to work around a kernel quirk
                   in some operating systems that causes IPv4 TCP
                   connections, such as zone transfers, to be accepted on an
                   IPv6 socket using mapped addresses.  This caused address
                   match lists designed for IPv4 to fail to match.  However,
                   <span><strong class="command">named</strong></span> now solves this problem
                   internally.  The use of this option is discouraged.
                 </p>
 </dd>
 <dt><span class="term"><span><strong class="command">filter-aaaa-on-v4</strong></span></span></dt>
 <dd>
 <p>
                   This option is only available when
                   <acronym class="acronym">BIND</acronym> 9 is compiled with the
                   <strong class="userinput"><code>--enable-filter-aaaa</code></strong> option on the
                   "configure" command line.  It is intended to help the
                   transition from IPv4 to IPv6 by not giving IPv6 addresses
                   to DNS clients unless they have connections to the IPv6
                   Internet.  This is not recommended unless absolutely
                   necessary.  The default is <strong class="userinput"><code>no</code></strong>.
                   The <span><strong class="command">filter-aaaa-on-v4</strong></span> option
                   may also be specified in <span><strong class="command">view</strong></span> statements
                   to override the global <span><strong class="command">filter-aaaa-on-v4</strong></span>
                   option.
                 </p>
 <p>
                   If <strong class="userinput"><code>yes</code></strong>,
                   the DNS client is at an IPv4 address, in <span><strong class="command">filter-aaaa</strong></span>,
                   and if the response does not include DNSSEC signatures, 
                   then all AAAA records are deleted from the response.
                   This filtering applies to all responses and not only
                   authoritative responses.
                 </p>
 <p>
                   If <strong class="userinput"><code>break-dnssec</code></strong>,
                   then AAAA records are deleted even when dnssec is enabled.
                   As suggested by the name, this makes the response not verify,
                   because the DNSSEC protocol is designed detect deletions.
                 </p>
 <p>
                   This mechanism can erroneously cause other servers to 
                   not give AAAA records to their clients.  
                   A recursing server with both IPv6 and IPv4 network connections
                   that queries an authoritative server using this mechanism
                   via IPv4 will be denied AAAA records even if its client is
                   using IPv6.
                 </p>
 <p>
                   This mechanism is applied to authoritative as well as
                   non-authoritative records.
                   A client using IPv4 that is not allowed recursion can
                   erroneously be given AAAA records because the server is not
                   allowed to check for A records.
                 </p>
 <p>
                   Some AAAA records are given to IPv4 clients in glue records.
                   IPv4 clients that are servers can then erroneously
                   answer requests for AAAA records received via IPv4.
                 </p>
 </dd>
 <dt><span class="term"><span><strong class="command">ixfr-from-differences</strong></span></span></dt>
 <dd>
 <p>
                   When <strong class="userinput"><code>yes</code></strong> and the server loads a new
                   version of a master zone from its zone file or receives a
                   new version of a slave file via zone transfer, it will
                   compare the new version to the previous one and calculate
                   a set of differences.  The differences are then logged in
                   the zone's journal file such that the changes can be
                   transmitted to downstream slaves as an incremental zone
                   transfer.
                 </p>
 <p>
                   By allowing incremental zone transfers to be used for
                   non-dynamic zones, this option saves bandwidth at the
                   expense of increased CPU and memory consumption at the
                   master.
                   In particular, if the new version of a zone is completely
                   different from the previous one, the set of differences
                   will be of a size comparable to the combined size of the
                   old and new zone version, and the server will need to
                   temporarily allocate memory to hold this complete
                   difference set.
                 </p>
 <p><span><strong class="command">ixfr-from-differences</strong></span>
                   also accepts <span><strong class="command">master</strong></span> and
                   <span><strong class="command">slave</strong></span> at the view and options
                   levels which causes
                   <span><strong class="command">ixfr-from-differences</strong></span> to be enabled for
                   all <span><strong class="command">master</strong></span> or
                   <span><strong class="command">slave</strong></span> zones respectively.
                   It is off by default.
                 </p>
 </dd>
 <dt><span class="term"><span><strong class="command">multi-master</strong></span></span></dt>
 <dd><p>
                   This should be set when you have multiple masters for a zone
                   and the
                   addresses refer to different machines.  If <strong class="userinput"><code>yes</code></strong>, <span><strong class="command">named</strong></span> will
                   not log
                   when the serial number on the master is less than what <span><strong class="command">named</strong></span>
                   currently
                   has.  The default is <strong class="userinput"><code>no</code></strong>.
                 </p></dd>
 <dt><span class="term"><span><strong class="command">dnssec-enable</strong></span></span></dt>
 <dd><p>
                   Enable DNSSEC support in <span><strong class="command">named</strong></span>.  Unless set to <strong class="userinput"><code>yes</code></strong>,
                   <span><strong class="command">named</strong></span> behaves as if it does not support DNSSEC.
                   The default is <strong class="userinput"><code>yes</code></strong>.
                 </p></dd>
 <dt><span class="term"><span><strong class="command">dnssec-validation</strong></span></span></dt>
 <dd><p>
                   Enable DNSSEC validation in <span><strong class="command">named</strong></span>.
                   Note <span><strong class="command">dnssec-enable</strong></span> also needs to be
                   set to <strong class="userinput"><code>yes</code></strong> to be effective.
                   If set to <strong class="userinput"><code>no</code></strong>, DNSSEC validation
                   is disabled.  If set to <strong class="userinput"><code>auto</code></strong>,
                   DNSSEC validation is enabled, and a default
                   trust-anchor for the DNS root zone is used.  If set to
                   <strong class="userinput"><code>yes</code></strong>, DNSSEC validation is enabled,
                   but a trust anchor must be manually configured using
                   a <span><strong class="command">trusted-keys</strong></span> or
                   <span><strong class="command">managed-keys</strong></span> statement.  The default
                   is <strong class="userinput"><code>yes</code></strong>.
                 </p></dd>
 <dt><span class="term"><span><strong class="command">dnssec-accept-expired</strong></span></span></dt>
 <dd><p>
                   Accept expired signatures when verifying DNSSEC signatures.
                   The default is <strong class="userinput"><code>no</code></strong>.
                   Setting this option to <strong class="userinput"><code>yes</code></strong>
                   leaves <span><strong class="command">named</strong></span> vulnerable to
                   replay attacks.
                 </p></dd>
 <dt><span class="term"><span><strong class="command">querylog</strong></span></span></dt>
 <dd><p>
                   Specify whether query logging should be started when <span><strong class="command">named</strong></span>
                   starts.
                   If <span><strong class="command">querylog</strong></span> is not specified,
                   then the query logging
                   is determined by the presence of the logging category <span><strong class="command">queries</strong></span>.
                 </p></dd>
 <dt><span class="term"><span><strong class="command">check-names</strong></span></span></dt>
 <dd>
 <p>
                   This option is used to restrict the character set and syntax
                   of
                   certain domain names in master files and/or DNS responses
                   received
                   from the network.  The default varies according to usage
                   area.  For
                   <span><strong class="command">master</strong></span> zones the default is <span><strong class="command">fail</strong></span>.
                   For <span><strong class="command">slave</strong></span> zones the default
                   is <span><strong class="command">warn</strong></span>.
                   For answers received from the network (<span><strong class="command">response</strong></span>)
                   the default is <span><strong class="command">ignore</strong></span>.
                 </p>
 <p>
                   The rules for legal hostnames and mail domains are derived
                   from RFC 952 and RFC 821 as modified by RFC 1123.
                 </p>
 <p><span><strong class="command">check-names</strong></span>
                   applies to the owner names of A, AAAA and MX records.
                   It also applies to the domain names in the RDATA of NS, SOA,
                   MX, and SRV records.
                   It also applies to the RDATA of PTR records where the owner
                   name indicated that it is a reverse lookup of a hostname
                   (the owner name ends in IN-ADDR.ARPA, IP6.ARPA, or IP6.INT).
                 </p>
 </dd>
 <dt><span class="term"><span><strong class="command">check-dup-records</strong></span></span></dt>
 <dd><p>
                   Check master zones for records that are treated as different
                   by DNSSEC but are semantically equal in plain DNS.  The
                   default is to <span><strong class="command">warn</strong></span>.  Other possible
                   values are <span><strong class="command">fail</strong></span> and
                   <span><strong class="command">ignore</strong></span>.
                 </p></dd>
 <dt><span class="term"><span><strong class="command">check-mx</strong></span></span></dt>
 <dd><p>
                   Check whether the MX record appears to refer to a IP address.
                   The default is to <span><strong class="command">warn</strong></span>.  Other possible
                   values are <span><strong class="command">fail</strong></span> and
                   <span><strong class="command">ignore</strong></span>.
                 </p></dd>
 <dt><span class="term"><span><strong class="command">check-wildcard</strong></span></span></dt>
 <dd><p>
                   This option is used to check for non-terminal wildcards.
                   The use of non-terminal wildcards is almost always as a
                   result of a failure
                   to understand the wildcard matching algorithm (RFC 1034).
                   This option
                   affects master zones.  The default (<span><strong class="command">yes</strong></span>) is to check
                   for non-terminal wildcards and issue a warning.
                 </p></dd>
 <dt><span class="term"><span><strong class="command">check-integrity</strong></span></span></dt>
 <dd>
 <p>
                   Perform post load zone integrity checks on master
                   zones.  This checks that MX and SRV records refer
                   to address (A or AAAA) records and that glue
                   address records exist for delegated zones.  For
                   MX and SRV records only in-zone hostnames are
                   checked (for out-of-zone hostnames use
                   <span><strong class="command">named-checkzone</strong></span>).
                   For NS records only names below top of zone are
                   checked (for out-of-zone names and glue consistency
                   checks use <span><strong class="command">named-checkzone</strong></span>).
                   The default is <span><strong class="command">yes</strong></span>.
                 </p>
 <p>
                   The use of the SPF record for publishing Sender
                   Policy Framework is deprecated as the migration
                   from using TXT records to SPF records was abandoned.
                   Enabling this option also checks that a TXT Sender
                   Policy Framework record exists (starts with "v=spf1")
                   if there is an SPF record. Warnings are emitted if the
                   TXT record does not exist and can be suppressed with
                   <span><strong class="command">check-spf</strong></span>.
                 </p>
 </dd>
 <dt><span class="term"><span><strong class="command">check-mx-cname</strong></span></span></dt>
 <dd><p>
                   If <span><strong class="command">check-integrity</strong></span> is set then
                   fail, warn or ignore MX records that refer
                   to CNAMES.  The default is to <span><strong class="command">warn</strong></span>.
                 </p></dd>
 <dt><span class="term"><span><strong class="command">check-srv-cname</strong></span></span></dt>
 <dd><p>
                   If <span><strong class="command">check-integrity</strong></span> is set then
                   fail, warn or ignore SRV records that refer
                   to CNAMES.  The default is to <span><strong class="command">warn</strong></span>.
                 </p></dd>
 <dt><span class="term"><span><strong class="command">check-sibling</strong></span></span></dt>
 <dd><p>
                   When performing integrity checks, also check that
                   sibling glue exists.  The default is <span><strong class="command">yes</strong></span>.
                 </p></dd>
 <dt><span class="term"><span><strong class="command">check-spf</strong></span></span></dt>
 <dd><p>
                   If <span><strong class="command">check-integrity</strong></span> is set then
                   check that there is a TXT Sender Policy Framework
                   record present (starts with "v=spf1") if there is an
                   SPF record present. The default is
                   <span><strong class="command">warn</strong></span>.
                 </p></dd>
 <dt><span class="term"><span><strong class="command">zero-no-soa-ttl</strong></span></span></dt>
 <dd><p>
                   When returning authoritative negative responses to
                   SOA queries set the TTL of the SOA record returned in
                   the authority section to zero.
                   The default is <span><strong class="command">yes</strong></span>.
                 </p></dd>
 <dt><span class="term"><span><strong class="command">zero-no-soa-ttl-cache</strong></span></span></dt>
 <dd><p>
                   When caching a negative response to a SOA query
                   set the TTL to zero.
                   The default is <span><strong class="command">no</strong></span>.
                 </p></dd>
 <dt><span class="term"><span><strong class="command">update-check-ksk</strong></span></span></dt>
 <dd>
 <p>
                   When set to the default value of <code class="literal">yes</code>,
                   check the KSK bit in each key to determine how the key
                   should be used when generating RRSIGs for a secure zone.
                 </p>
 <p>
                   Ordinarily, zone-signing keys (that is, keys without the
                   KSK bit set) are used to sign the entire zone, while
                   key-signing keys (keys with the KSK bit set) are only
                   used to sign the DNSKEY RRset at the zone apex.
                   However, if this option is set to <code class="literal">no</code>,
                   then the KSK bit is ignored; KSKs are treated as if they
                   were ZSKs and are used to sign the entire zone.  This is
                   similar to the <span><strong class="command">dnssec-signzone -z</strong></span>
                   command line option.
                 </p>
 <p>
                   When this option is set to <code class="literal">yes</code>, there
                   must be at least two active keys for every algorithm
                   represented in the DNSKEY RRset: at least one KSK and one
                   ZSK per algorithm.  If there is any algorithm for which
                   this requirement is not met, this option will be ignored
                   for that algorithm.
                 </p>
 </dd>
 <dt><span class="term"><span><strong class="command">dnssec-dnskey-kskonly</strong></span></span></dt>
 <dd>
 <p>
                   When this option and <span><strong class="command">update-check-ksk</strong></span>
                   are both set to <code class="literal">yes</code>, only key-signing
                   keys (that is, keys with the KSK bit set) will be used
                   to sign the DNSKEY RRset at the zone apex.  Zone-signing
                   keys (keys without the KSK bit set) will be used to sign
                   the remainder of the zone, but not the DNSKEY RRset.
                   This is similar to the
                   <span><strong class="command">dnssec-signzone -x</strong></span> command line option.
                 </p>
 <p>
                   The default is <span><strong class="command">no</strong></span>.  If
                   <span><strong class="command">update-check-ksk</strong></span> is set to
                   <code class="literal">no</code>, this option is ignored.
                 </p>
 </dd>
 <dt><span class="term"><span><strong class="command">dnssec-loadkeys-interval</strong></span></span></dt>
 <dd><p>
                   When a zone is configured with <span><strong class="command">auto-dnssec
                   maintain;</strong></span> its key repository must be checked
                   periodically to see if any new keys have been added
                   or any existing keys' timing metadata has been updated
                   (see <a href="man.dnssec-keygen.html" title="dnssec-keygen"><span class="refentrytitle"><span class="application">dnssec-keygen</span></span>(8)</a> and
                   <a href="man.dnssec-settime.html" title="dnssec-settime"><span class="refentrytitle"><span class="application">dnssec-settime</span></span>(8)</a>).  The
                   <span><strong class="command">dnssec-loadkeys-interval</strong></span> option
                   sets the frequency of automatic repository checks, in
                   minutes.  The default is <code class="literal">60</code> (1 hour),
                   the minimum is <code class="literal">1</code> (1 minute), and the
                   maximum is <code class="literal">1440</code> (24 hours); any higher
                   value is silently reduced.
                 </p></dd>
 <dt><span class="term"><span><strong class="command">try-tcp-refresh</strong></span></span></dt>
 <dd><p>
                   Try to refresh the zone using TCP if UDP queries fail.
                   For BIND 8 compatibility, the default is
                   <span><strong class="command">yes</strong></span>.
                 </p></dd>
 <dt><span class="term"><span><strong class="command">dnssec-secure-to-insecure</strong></span></span></dt>
 <dd>
 <p>
                   Allow a dynamic zone to transition from secure to
                   insecure (i.e., signed to unsigned) by deleting all
                   of the DNSKEY records.  The default is <span><strong class="command">no</strong></span>.
                   If set to <span><strong class="command">yes</strong></span>, and if the DNSKEY RRset
                   at the zone apex is deleted, all RRSIG and NSEC records
                   will be removed from the zone as well.
                 </p>
 <p>
                   If the zone uses NSEC3, then it is also necessary to
                   delete the NSEC3PARAM RRset from the zone apex; this will
                   cause the removal of all corresponding NSEC3 records.
                   (It is expected that this requirement will be eliminated
                   in a future release.)
                 </p>
 <p>
                   Note that if a zone has been configured with
                   <span><strong class="command">auto-dnssec maintain</strong></span> and the
                   private keys remain accessible in the key repository,
                   then the zone will be automatically signed again the
                   next time <span><strong class="command">named</strong></span> is started.
                 </p>
 </dd>
 </dl></div>
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="id2583443"></a>Forwarding</h4></div></div></div>
 <p>
             The forwarding facility can be used to create a large site-wide
             cache on a few servers, reducing traffic over links to external
             name servers. It can also be used to allow queries by servers that
             do not have direct access to the Internet, but wish to look up
             exterior
             names anyway. Forwarding occurs only on those queries for which
             the server is not authoritative and does not have the answer in
             its cache.
           </p>
 <div class="variablelist"><dl>
 <dt><span class="term"><span><strong class="command">forward</strong></span></span></dt>
 <dd><p>
                   This option is only meaningful if the
                   forwarders list is not empty. A value of <code class="varname">first</code>,
                   the default, causes the server to query the forwarders
                   first &#8212; and
                   if that doesn't answer the question, the server will then
                   look for
                   the answer itself. If <code class="varname">only</code> is
                   specified, the
                   server will only query the forwarders.
                 </p></dd>
 <dt><span class="term"><span><strong class="command">forwarders</strong></span></span></dt>
 <dd><p>
                   Specifies the IP addresses to be used
                   for forwarding. The default is the empty list (no
                   forwarding).
                 </p></dd>
 </dl></div>
 <p>
             Forwarding can also be configured on a per-domain basis, allowing
             for the global forwarding options to be overridden in a variety
             of ways. You can set particular domains to use different
             forwarders,
             or have a different <span><strong class="command">forward only/first</strong></span> behavior,
             or not forward at all, see <a href="Bv9ARM.ch06.html#zone_statement_grammar" title="zone
             Statement Grammar">the section called &#8220;<span><strong class="command">zone</strong></span>
             Statement Grammar&#8221;</a>.
           </p>
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="id2583570"></a>Dual-stack Servers</h4></div></div></div>
 <p>
             Dual-stack servers are used as servers of last resort to work
             around
             problems in reachability due the lack of support for either IPv4
             or IPv6
             on the host machine.
           </p>
 <div class="variablelist"><dl>
 <dt><span class="term"><span><strong class="command">dual-stack-servers</strong></span></span></dt>
 <dd><p>
                   Specifies host names or addresses of machines with access to
                   both IPv4 and IPv6 transports. If a hostname is used, the
                   server must be able
                   to resolve the name using only the transport it has.  If the
                   machine is dual
                   stacked, then the <span><strong class="command">dual-stack-servers</strong></span> have no effect unless
                   access to a transport has been disabled on the command line
                   (e.g. <span><strong class="command">named -4</strong></span>).
                 </p></dd>
 </dl></div>
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="access_control"></a>Access Control</h4></div></div></div>
 <p>
             Access to the server can be restricted based on the IP address
             of the requesting system. See <a href="Bv9ARM.ch06.html#address_match_lists" title="Address Match Lists">the section called &#8220;Address Match Lists&#8221;</a> for
             details on how to specify IP address lists.
           </p>
 <div class="variablelist"><dl>
 <dt><span class="term"><span><strong class="command">allow-notify</strong></span></span></dt>
 <dd><p>
                   Specifies which hosts are allowed to
                   notify this server, a slave, of zone changes in addition
                   to the zone masters.
                   <span><strong class="command">allow-notify</strong></span> may also be
                   specified in the
                   <span><strong class="command">zone</strong></span> statement, in which case
                   it overrides the
                   <span><strong class="command">options allow-notify</strong></span>
                   statement.  It is only meaningful
                   for a slave zone.  If not specified, the default is to
                   process notify messages
                   only from a zone's master.
                 </p></dd>
 <dt><span class="term"><span><strong class="command">allow-query</strong></span></span></dt>
 <dd>
 <p>
                   Specifies which hosts are allowed to ask ordinary
                   DNS questions. <span><strong class="command">allow-query</strong></span> may
                   also be specified in the <span><strong class="command">zone</strong></span>
                   statement, in which case it overrides the
                   <span><strong class="command">options allow-query</strong></span> statement.
                   If not specified, the default is to allow queries
                   from all hosts.
                 </p>
 <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
 <h3 class="title">Note</h3>
 <p>
                     <span><strong class="command">allow-query-cache</strong></span> is now
                     used to specify access to the cache.
                   </p>
 </div>
 </dd>
 <dt><span class="term"><span><strong class="command">allow-query-on</strong></span></span></dt>
 <dd>
 <p>
                   Specifies which local addresses can accept ordinary
                   DNS questions. This makes it possible, for instance,
                   to allow queries on internal-facing interfaces but
                   disallow them on external-facing ones, without
                   necessarily knowing the internal network's addresses.
                 </p>
 <p>
                   Note that <span><strong class="command">allow-query-on</strong></span> is only
                   checked for queries that are permitted by
                   <span><strong class="command">allow-query</strong></span>.  A query must be
                   allowed by both ACLs, or it will be refused.
                 </p>
 <p>
                   <span><strong class="command">allow-query-on</strong></span> may
                   also be specified in the <span><strong class="command">zone</strong></span>
                   statement, in which case it overrides the
                   <span><strong class="command">options allow-query-on</strong></span> statement.
                 </p>
 <p>
                   If not specified, the default is to allow queries
                   on all addresses.
                 </p>
 <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
 <h3 class="title">Note</h3>
 <p>
                     <span><strong class="command">allow-query-cache</strong></span> is
                     used to specify access to the cache.
                   </p>
 </div>
 </dd>
 <dt><span class="term"><span><strong class="command">allow-query-cache</strong></span></span></dt>
 <dd><p>
                   Specifies which hosts are allowed to get answers
                   from the cache.  If <span><strong class="command">allow-query-cache</strong></span>
                   is not set then <span><strong class="command">allow-recursion</strong></span>
                   is used if set, otherwise <span><strong class="command">allow-query</strong></span>
                   is used if set unless <span><strong class="command">recursion no;</strong></span> is
                   set in which case <span><strong class="command">none;</strong></span> is used,
                   otherwise the default (<span><strong class="command">localnets;</strong></span>
                   <span><strong class="command">localhost;</strong></span>) is used.
                 </p></dd>
 <dt><span class="term"><span><strong class="command">allow-query-cache-on</strong></span></span></dt>
 <dd><p>
                   Specifies which local addresses can give answers
                   from the cache.  If not specified, the default is
                   to allow cache queries on any address,
                   <span><strong class="command">localnets</strong></span> and
                   <span><strong class="command">localhost</strong></span>.
                 </p></dd>
 <dt><span class="term"><span><strong class="command">allow-recursion</strong></span></span></dt>
 <dd><p>
                   Specifies which hosts are allowed to make recursive
                   queries through this server. If
                   <span><strong class="command">allow-recursion</strong></span> is not set
                   then <span><strong class="command">allow-query-cache</strong></span> is
                   used if set, otherwise <span><strong class="command">allow-query</strong></span>
                   is used if set, otherwise the default
                   (<span><strong class="command">localnets;</strong></span>
                   <span><strong class="command">localhost;</strong></span>) is used.
                 </p></dd>
 <dt><span class="term"><span><strong class="command">allow-recursion-on</strong></span></span></dt>
 <dd><p>
                   Specifies which local addresses can accept recursive
                   queries.  If not specified, the default is to allow
                   recursive queries on all addresses.
                 </p></dd>
 <dt><span class="term"><span><strong class="command">allow-update</strong></span></span></dt>
 <dd><p>
                   Specifies which hosts are allowed to
                   submit Dynamic DNS updates for master zones. The default is
                   to deny
                   updates from all hosts.  Note that allowing updates based
                   on the requestor's IP address is insecure; see
                   <a href="Bv9ARM.ch07.html#dynamic_update_security" title="Dynamic Update Security">the section called &#8220;Dynamic Update Security&#8221;</a> for details.
                 </p></dd>
 <dt><span class="term"><span><strong class="command">allow-update-forwarding</strong></span></span></dt>
 <dd>
 <p>
                   Specifies which hosts are allowed to
                   submit Dynamic DNS updates to slave zones to be forwarded to
                   the
                   master.  The default is <strong class="userinput"><code>{ none; }</code></strong>,
                   which
                   means that no update forwarding will be performed.  To
                   enable
                   update forwarding, specify
                   <strong class="userinput"><code>allow-update-forwarding { any; };</code></strong>.
                   Specifying values other than <strong class="userinput"><code>{ none; }</code></strong> or
                   <strong class="userinput"><code>{ any; }</code></strong> is usually
                   counterproductive, since
                   the responsibility for update access control should rest
                   with the
                   master server, not the slaves.
                 </p>
 <p>
                   Note that enabling the update forwarding feature on a slave
                   server
                   may expose master servers relying on insecure IP address
                   based
                   access control to attacks; see <a href="Bv9ARM.ch07.html#dynamic_update_security" title="Dynamic Update Security">the section called &#8220;Dynamic Update Security&#8221;</a>
                   for more details.
                 </p>
 </dd>
 <dt><span class="term"><span><strong class="command">allow-v6-synthesis</strong></span></span></dt>
 <dd><p>
                   This option was introduced for the smooth transition from
                   AAAA
                   to A6 and from "nibble labels" to binary labels.
                   However, since both A6 and binary labels were then
                   deprecated,
                   this option was also deprecated.
                   It is now ignored with some warning messages.
                 </p></dd>
 <dt><span class="term"><span><strong class="command">allow-transfer</strong></span></span></dt>
 <dd><p>
                   Specifies which hosts are allowed to
                   receive zone transfers from the server. <span><strong class="command">allow-transfer</strong></span> may
                   also be specified in the <span><strong class="command">zone</strong></span>
                   statement, in which
                   case it overrides the <span><strong class="command">options allow-transfer</strong></span> statement.
                   If not specified, the default is to allow transfers to all
                   hosts.
                 </p></dd>
 <dt><span class="term"><span><strong class="command">blackhole</strong></span></span></dt>
 <dd><p>
                   Specifies a list of addresses that the
                   server will not accept queries from or use to resolve a
                   query. Queries
                   from these addresses will not be responded to. The default
                   is <strong class="userinput"><code>none</code></strong>.
                 </p></dd>
 <dt><span class="term"><span><strong class="command">filter-aaaa</strong></span></span></dt>
 <dd><p>
                   Specifies a list of addresses to which
                   <span><strong class="command">filter-aaaa-on-v4</strong></span>
                   is applies.  The default is <strong class="userinput"><code>any</code></strong>.
                 </p></dd>
 <dt><span class="term"><span><strong class="command">no-case-compress</strong></span></span></dt>
 <dd>
 <p>
                   Specifies a list of addresses which require responses
                   to use case-insensitive compression.  This ACL can be
                   used when <span><strong class="command">named</strong></span> needs to work with
                   clients that do not comply with the requirement in RFC
                   1034 to use case-insensitive name comparisons when
                   checking for matching domain names.
                 </p>
 <p>
                   If left undefined, the ACL defaults to
                   <span><strong class="command">none</strong></span>: case-insensitive compression
                   will be used for all clients.  If the ACL is defined and
                   matches a client, then case will be ignored when
                   compressing domain names in DNS responses sent to that
                   client.
                 </p>
 <p>
                   This can result in slightly smaller responses: if
                   a response contains the names "example.com" and
                   "example.COM", case-insensitive compression would treat
                   the second one as a duplicate.  It also ensures
                   that the case of the query name exactly matches the
                   case of the owner names of returned records, rather
                   than matching the case of the records entered in
                   the zone file.  This allows responses to exactly
                   match the query, which is required by some clients
                   due to incorrect use of case-sensitive comparisons.
                 </p>
 <p>
                   Case-insensitive compression is <span class="emphasis"><em>always</em></span>
                   used in AXFR and IXFR responses, regardless of whether
                   the client matches this ACL.
                 </p>
 <p>
                   There are circumstances in which <span><strong class="command">named</strong></span>
                   will not preserve the case of owner names of records:
                   if a zone file defines records of different types with
                   the same name, but the capitalization of the name is
                   different (e.g., "www.example.com/A" and
                   "WWW.EXAMPLE.COM/AAAA"), then all responses for that
                   name will use the <span class="emphasis"><em>first</em></span> version
                   of the name that was used in the zone file.  This
                   limitation may be addressed in a future release.  However,
                   domain names specified in the rdata of resource records
                   (i.e., records of type NS, MX, CNAME, etc) will always
                   have their case preserved unless the client matches this
                   ACL.
                 </p>
 </dd>
 <dt><span class="term"><span><strong class="command">resolver-query-timeout</strong></span></span></dt>
 <dd><p>
                   The amount of time the resolver will spend attempting
                   to resolve a recursive query before failing.  The default
                   and minimum is <code class="literal">10</code> and the maximum is
                   <code class="literal">30</code>.  Setting it to <code class="literal">0</code>
                   will result in the default being used.
                 </p></dd>
 </dl></div>
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="id2584312"></a>Interfaces</h4></div></div></div>
 <p>
             The interfaces and ports that the server will answer queries
             from may be specified using the <span><strong class="command">listen-on</strong></span> option. <span><strong class="command">listen-on</strong></span> takes
             an optional port and an <code class="varname">address_match_list</code>
             of IPv4 addresses.  (IPv6 addresses are ignored, with a
             logged warning.)
             The server will listen on all interfaces allowed by the address
             match list. If a port is not specified, port 53 will be used.
           </p>
 <p>
             Multiple <span><strong class="command">listen-on</strong></span> statements are
             allowed.
             For example,
           </p>
 <pre class="programlisting">listen-on { 5.6.7.8; };
 listen-on port 1234 { !1.2.3.4; 1.2/16; };
 </pre>
 <p>
             will enable the name server on port 53 for the IP address
             5.6.7.8, and on port 1234 of an address on the machine in net
             1.2 that is not 1.2.3.4.
           </p>
 <p>
             If no <span><strong class="command">listen-on</strong></span> is specified, the
             server will listen on port 53 on all IPv4 interfaces.
           </p>
 <p>
             The <span><strong class="command">listen-on-v6</strong></span> option is used to
             specify the interfaces and the ports on which the server will
             listen
             for incoming queries sent using IPv6.
           </p>
 <p>
             When </p>
 <pre class="programlisting">{ any; }</pre>
 <p> is
             specified
             as the <code class="varname">address_match_list</code> for the
             <span><strong class="command">listen-on-v6</strong></span> option,
             the server does not bind a separate socket to each IPv6 interface
             address as it does for IPv4 if the operating system has enough API
             support for IPv6 (specifically if it conforms to RFC 3493 and RFC
             3542).
             Instead, it listens on the IPv6 wildcard address.
             If the system only has incomplete API support for IPv6, however,
             the behavior is the same as that for IPv4.
           </p>
 <p>
             A list of particular IPv6 addresses can also be specified, in
             which case
             the server listens on a separate socket for each specified
             address,
             regardless of whether the desired API is supported by the system.
             IPv4 addresses specified in <span><strong class="command">listen-on-v6</strong></span>
             will be ignored, with a logged warning.
           </p>
 <p>
             Multiple <span><strong class="command">listen-on-v6</strong></span> options can
             be used.
             For example,
           </p>
 <pre class="programlisting">listen-on-v6 { any; };
 listen-on-v6 port 1234 { !2001:db8::/32; any; };
 </pre>
 <p>
             will enable the name server on port 53 for any IPv6 addresses
             (with a single wildcard socket),
             and on port 1234 of IPv6 addresses that is not in the prefix
             2001:db8::/32 (with separate sockets for each matched address.)
           </p>
 <p>
             To make the server not listen on any IPv6 address, use
           </p>
 <pre class="programlisting">listen-on-v6 { none; };
 </pre>
 <p>
             If no <span><strong class="command">listen-on-v6</strong></span> option is
             specified, the server will not listen on any IPv6 address
             unless <span><strong class="command">-6</strong></span> is specified when <span><strong class="command">named</strong></span> is
             invoked.  If <span><strong class="command">-6</strong></span> is specified then
             <span><strong class="command">named</strong></span> will listen on port 53 on all IPv6 interfaces by default.
           </p>
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="query_address"></a>Query Address</h4></div></div></div>
 <p>
             If the server doesn't know the answer to a question, it will
             query other name servers. <span><strong class="command">query-source</strong></span> specifies
             the address and port used for such queries. For queries sent over
             IPv6, there is a separate <span><strong class="command">query-source-v6</strong></span> option.
             If <span><strong class="command">address</strong></span> is <span><strong class="command">*</strong></span> (asterisk) or is omitted,
             a wildcard IP address (<span><strong class="command">INADDR_ANY</strong></span>)
             will be used.
           </p>
 <p>
             If <span><strong class="command">port</strong></span> is <span><strong class="command">*</strong></span> or is omitted,
             a random port number from a pre-configured
             range is picked up and will be used for each query.
             The port range(s) is that specified in
             the <span><strong class="command">use-v4-udp-ports</strong></span> (for IPv4)
             and <span><strong class="command">use-v6-udp-ports</strong></span> (for IPv6)
             options, excluding the ranges specified in
             the <span><strong class="command">avoid-v4-udp-ports</strong></span>
             and <span><strong class="command">avoid-v6-udp-ports</strong></span> options, respectively.
           </p>
 <p>
             The defaults of the <span><strong class="command">query-source</strong></span> and
             <span><strong class="command">query-source-v6</strong></span> options
             are:
           </p>
 <pre class="programlisting">query-source address * port *;
 query-source-v6 address * port *;
 </pre>
 <p>
             If <span><strong class="command">use-v4-udp-ports</strong></span> or
             <span><strong class="command">use-v6-udp-ports</strong></span> is unspecified,
             <span><strong class="command">named</strong></span> will check if the operating
             system provides a programming interface to retrieve the
             system's default range for ephemeral ports.
             If such an interface is available,
             <span><strong class="command">named</strong></span> will use the corresponding system
             default range; otherwise, it will use its own defaults:
          </p>
 <pre class="programlisting">use-v4-udp-ports { range 1024 65535; };
 use-v6-udp-ports { range 1024 65535; };
 </pre>
 <p>
             Note: make sure the ranges be sufficiently large for
             security.  A desirable size depends on various parameters,
             but we generally recommend it contain at least 16384 ports
             (14 bits of entropy).
             Note also that the system's default range when used may be
             too small for this purpose, and that the range may even be
             changed while <span><strong class="command">named</strong></span> is running; the new
             range will automatically be applied when <span><strong class="command">named</strong></span>
             is reloaded.
             It is encouraged to
             configure <span><strong class="command">use-v4-udp-ports</strong></span> and
             <span><strong class="command">use-v6-udp-ports</strong></span> explicitly so that the
             ranges are sufficiently large and are reasonably
             independent from the ranges used by other applications.
           </p>
 <p>
             Note: the operational configuration
             where <span><strong class="command">named</strong></span> runs may prohibit the use
             of some ports.  For example, UNIX systems will not allow
             <span><strong class="command">named</strong></span> running without a root privilege
             to use ports less than 1024.
             If such ports are included in the specified (or detected)
             set of query ports, the corresponding query attempts will
             fail, resulting in resolution failures or delay.
             It is therefore important to configure the set of ports
             that can be safely used in the expected operational environment.
           </p>
 <p>
             The defaults of the <span><strong class="command">avoid-v4-udp-ports</strong></span> and
             <span><strong class="command">avoid-v6-udp-ports</strong></span> options
             are:
           </p>
 <pre class="programlisting">avoid-v4-udp-ports {};
 avoid-v6-udp-ports {};
 </pre>
 <p>
             Note: BIND 9.5.0 introduced
             the <span><strong class="command">use-queryport-pool</strong></span> 
             option to support a pool of such random ports, but this
             option is now obsolete because reusing the same ports in
             the pool may not be sufficiently secure.
             For the same reason, it is generally strongly discouraged to
             specify a particular port for the
             <span><strong class="command">query-source</strong></span> or
             <span><strong class="command">query-source-v6</strong></span> options;
             it implicitly disables the use of randomized port numbers.
           </p>
 <div class="variablelist"><dl>
 <dt><span class="term"><span><strong class="command">use-queryport-pool</strong></span></span></dt>
 <dd><p>
                   This option is obsolete.
                 </p></dd>
 <dt><span class="term"><span><strong class="command">queryport-pool-ports</strong></span></span></dt>
 <dd><p>
                   This option is obsolete.
                 </p></dd>
 <dt><span class="term"><span><strong class="command">queryport-pool-updateinterval</strong></span></span></dt>
 <dd><p>
                   This option is obsolete.
                 </p></dd>
 </dl></div>
 <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
 <h3 class="title">Note</h3>
 <p>
               The address specified in the <span><strong class="command">query-source</strong></span> option
               is used for both UDP and TCP queries, but the port applies only
               to UDP queries.  TCP queries always use a random
               unprivileged port.
             </p>
 </div>
 <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
 <h3 class="title">Note</h3>
 <p>
               Solaris 2.5.1 and earlier does not support setting the source
               address for TCP sockets.
             </p>
 </div>
 <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
 <h3 class="title">Note</h3>
 <p>
               See also <span><strong class="command">transfer-source</strong></span> and
               <span><strong class="command">notify-source</strong></span>.
             </p>
 </div>
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="zone_transfers"></a>Zone Transfers</h4></div></div></div>
 <p>
             <acronym class="acronym">BIND</acronym> has mechanisms in place to
             facilitate zone transfers
             and set limits on the amount of load that transfers place on the
             system. The following options apply to zone transfers.
           </p>
 <div class="variablelist"><dl>
 <dt><span class="term"><span><strong class="command">also-notify</strong></span></span></dt>
 <dd>
 <p>
                   Defines a global list of IP addresses of name servers
                   that are also sent NOTIFY messages whenever a fresh copy of
                   the
                   zone is loaded, in addition to the servers listed in the
                   zone's NS records.
                   This helps to ensure that copies of the zones will
                   quickly converge on stealth servers.
                   Optionally, a port may be specified with each
                   <span><strong class="command">also-notify</strong></span> address to send
                   the notify messages to a port other than the
                   default of 53.
                   An optional TSIG key can also be specified with each
                   address to cause the notify messages to be signed; this
                   can be useful when sending notifies to multiple views.
                   In place of explicit addresses, one or more named
                   <span><strong class="command">masters</strong></span> lists can be used.
                 </p>
 <p>
                   If an <span><strong class="command">also-notify</strong></span> list
                   is given in a <span><strong class="command">zone</strong></span> statement,
                   it will override
                   the <span><strong class="command">options also-notify</strong></span>
                   statement. When a <span><strong class="command">zone notify</strong></span>
                   statement
                   is set to <span><strong class="command">no</strong></span>, the IP
                   addresses in the global <span><strong class="command">also-notify</strong></span> list will
                   not be sent NOTIFY messages for that zone. The default is
                   the empty
                   list (no global notification list).
                 </p>
 </dd>
 <dt><span class="term"><span><strong class="command">max-transfer-time-in</strong></span></span></dt>
 <dd><p>
                   Inbound zone transfers running longer than
                   this many minutes will be terminated. The default is 120
                   minutes
                   (2 hours).  The maximum value is 28 days (40320 minutes).
                 </p></dd>
 <dt><span class="term"><span><strong class="command">max-transfer-idle-in</strong></span></span></dt>
 <dd><p>
                   Inbound zone transfers making no progress
                   in this many minutes will be terminated. The default is 60
                   minutes
                   (1 hour).  The maximum value is 28 days (40320 minutes).
                 </p></dd>
 <dt><span class="term"><span><strong class="command">max-transfer-time-out</strong></span></span></dt>
 <dd><p>
                   Outbound zone transfers running longer than
                   this many minutes will be terminated. The default is 120
                   minutes
                   (2 hours).  The maximum value is 28 days (40320 minutes).
                 </p></dd>
 <dt><span class="term"><span><strong class="command">max-transfer-idle-out</strong></span></span></dt>
 <dd><p>
                   Outbound zone transfers making no progress
                   in this many minutes will be terminated.  The default is 60
                   minutes (1
                   hour).  The maximum value is 28 days (40320 minutes).
                 </p></dd>
 <dt><span class="term"><span><strong class="command">serial-query-rate</strong></span></span></dt>
 <dd>
 <p>
                   Slave servers will periodically query master
                   servers to find out if zone serial numbers have
                   changed. Each such query uses a minute amount of
                   the slave server's network bandwidth.  To limit
                   the amount of bandwidth used, BIND 9 limits the
                   rate at which queries are sent.  The value of the
                   <span><strong class="command">serial-query-rate</strong></span> option, an
                   integer, is the maximum number of queries sent
                   per second.  The default is 20 per second.
                   The lowest possible rate is one per second; when set
                   to zero, it will be silently raised to one.
                 </p>
 <p>
                   In addition to controlling the rate SOA refresh
                   queries are issued at
                   <span><strong class="command">serial-query-rate</strong></span> also controls
                   the rate at which NOTIFY messages are sent from
                   both master and slave zones.
                 </p>
 </dd>
 <dt><span class="term"><span><strong class="command">serial-queries</strong></span></span></dt>
 <dd><p>
                   In BIND 8, the <span><strong class="command">serial-queries</strong></span>
                   option
                   set the maximum number of concurrent serial number queries
                   allowed to be outstanding at any given time.
                   BIND 9 does not limit the number of outstanding
                   serial queries and ignores the <span><strong class="command">serial-queries</strong></span> option.
                   Instead, it limits the rate at which the queries are sent
                   as defined using the <span><strong class="command">serial-query-rate</strong></span> option.
                 </p></dd>
 <dt><span class="term"><span><strong class="command">transfer-format</strong></span></span></dt>
 <dd><p>
                   Zone transfers can be sent using two different formats,
                   <span><strong class="command">one-answer</strong></span> and
                   <span><strong class="command">many-answers</strong></span>.
                   The <span><strong class="command">transfer-format</strong></span> option is used
                   on the master server to determine which format it sends.
                   <span><strong class="command">one-answer</strong></span> uses one DNS message per
                   resource record transferred.
                   <span><strong class="command">many-answers</strong></span> packs as many resource
                   records as possible into a message.
                   <span><strong class="command">many-answers</strong></span> is more efficient, but is
                   only supported by relatively new slave servers,
                   such as <acronym class="acronym">BIND</acronym> 9, <acronym class="acronym">BIND</acronym>
                   8.x and <acronym class="acronym">BIND</acronym> 4.9.5 onwards.
                   The <span><strong class="command">many-answers</strong></span> format is also supported by
                   recent Microsoft Windows nameservers.
                   The default is <span><strong class="command">many-answers</strong></span>.
                   <span><strong class="command">transfer-format</strong></span> may be overridden on a
                   per-server basis by using the <span><strong class="command">server</strong></span>
                   statement.
                 </p></dd>
 <dt><span class="term"><span><strong class="command">transfers-in</strong></span></span></dt>
 <dd><p>
                   The maximum number of inbound zone transfers
                   that can be running concurrently. The default value is <code class="literal">10</code>.
                   Increasing <span><strong class="command">transfers-in</strong></span> may
                   speed up the convergence
                   of slave zones, but it also may increase the load on the
                   local system.
                 </p></dd>
 <dt><span class="term"><span><strong class="command">transfers-out</strong></span></span></dt>
 <dd><p>
                   The maximum number of outbound zone transfers
                   that can be running concurrently. Zone transfer requests in
                   excess
                   of the limit will be refused. The default value is <code class="literal">10</code>.
                 </p></dd>
 <dt><span class="term"><span><strong class="command">transfers-per-ns</strong></span></span></dt>
 <dd><p>
                   The maximum number of inbound zone transfers
                   that can be concurrently transferring from a given remote
                   name server.
                   The default value is <code class="literal">2</code>.
                   Increasing <span><strong class="command">transfers-per-ns</strong></span>
                   may
                   speed up the convergence of slave zones, but it also may
                   increase
                   the load on the remote name server. <span><strong class="command">transfers-per-ns</strong></span> may
                   be overridden on a per-server basis by using the <span><strong class="command">transfers</strong></span> phrase
                   of the <span><strong class="command">server</strong></span> statement.
                 </p></dd>
 <dt><span class="term"><span><strong class="command">transfer-source</strong></span></span></dt>
 <dd>
 <p><span><strong class="command">transfer-source</strong></span>
                   determines which local address will be bound to IPv4
                   TCP connections used to fetch zones transferred
                   inbound by the server.  It also determines the
                   source IPv4 address, and optionally the UDP port,
                   used for the refresh queries and forwarded dynamic
                   updates.  If not set, it defaults to a system
                   controlled value which will usually be the address
                   of the interface "closest to" the remote end. This
                   address must appear in the remote end's
                   <span><strong class="command">allow-transfer</strong></span> option for the
                   zone being transferred, if one is specified. This
                   statement sets the
                   <span><strong class="command">transfer-source</strong></span> for all zones,
                   but can be overridden on a per-view or per-zone
                   basis by including a
                   <span><strong class="command">transfer-source</strong></span> statement within
                   the <span><strong class="command">view</strong></span> or
                   <span><strong class="command">zone</strong></span> block in the configuration
                   file.
                 </p>
 <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
 <h3 class="title">Note</h3>
 <p>
                     Solaris 2.5.1 and earlier does not support setting the
                     source address for TCP sockets.
                   </p>
 </div>
 </dd>
 <dt><span class="term"><span><strong class="command">transfer-source-v6</strong></span></span></dt>
 <dd><p>
                   The same as <span><strong class="command">transfer-source</strong></span>,
                   except zone transfers are performed using IPv6.
                 </p></dd>
 <dt><span class="term"><span><strong class="command">alt-transfer-source</strong></span></span></dt>
 <dd>
 <p>
                   An alternate transfer source if the one listed in
                   <span><strong class="command">transfer-source</strong></span> fails and
                   <span><strong class="command">use-alt-transfer-source</strong></span> is
                   set.
                 </p>
 <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
 <h3 class="title">Note</h3>
                   If you do not wish the alternate transfer source
                   to be used, you should set
                   <span><strong class="command">use-alt-transfer-source</strong></span>
                   appropriately and you should not depend upon
                   getting an answer back to the first refresh
                   query.
                 </div>
 </dd>
 <dt><span class="term"><span><strong class="command">alt-transfer-source-v6</strong></span></span></dt>
 <dd><p>
                   An alternate transfer source if the one listed in
                   <span><strong class="command">transfer-source-v6</strong></span> fails and
                   <span><strong class="command">use-alt-transfer-source</strong></span> is
                   set.
                 </p></dd>
 <dt><span class="term"><span><strong class="command">use-alt-transfer-source</strong></span></span></dt>
 <dd><p>
                   Use the alternate transfer sources or not.  If views are
                   specified this defaults to <span><strong class="command">no</strong></span>
                   otherwise it defaults to
                   <span><strong class="command">yes</strong></span> (for BIND 8
                   compatibility).
                 </p></dd>
 <dt><span class="term"><span><strong class="command">notify-source</strong></span></span></dt>
 <dd>
 <p><span><strong class="command">notify-source</strong></span>
                   determines which local source address, and
                   optionally UDP port, will be used to send NOTIFY
                   messages.  This address must appear in the slave
                   server's <span><strong class="command">masters</strong></span> zone clause or
                   in an <span><strong class="command">allow-notify</strong></span> clause.  This
                   statement sets the <span><strong class="command">notify-source</strong></span>
                   for all zones, but can be overridden on a per-zone or
                   per-view basis by including a
                   <span><strong class="command">notify-source</strong></span> statement within
                   the <span><strong class="command">zone</strong></span> or
                   <span><strong class="command">view</strong></span> block in the configuration
                   file.
                 </p>
 <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
 <h3 class="title">Note</h3>
 <p>
                     Solaris 2.5.1 and earlier does not support setting the
                     source address for TCP sockets.
                   </p>
 </div>
 </dd>
 <dt><span class="term"><span><strong class="command">notify-source-v6</strong></span></span></dt>
 <dd><p>
                   Like <span><strong class="command">notify-source</strong></span>,
                   but applies to notify messages sent to IPv6 addresses.
                 </p></dd>
 </dl></div>
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="id2585465"></a>UDP Port Lists</h4></div></div></div>
 <p>
             <span><strong class="command">use-v4-udp-ports</strong></span>,
             <span><strong class="command">avoid-v4-udp-ports</strong></span>,
             <span><strong class="command">use-v6-udp-ports</strong></span>, and
             <span><strong class="command">avoid-v6-udp-ports</strong></span>
             specify a list of IPv4 and IPv6 UDP ports that will be
             used or not used as source ports for UDP messages.
             See <a href="Bv9ARM.ch06.html#query_address" title="Query Address">the section called &#8220;Query Address&#8221;</a> about how the
             available ports are determined.
             For example, with the following configuration
           </p>
 <pre class="programlisting">
 use-v6-udp-ports { range 32768 65535; };
 avoid-v6-udp-ports { 40000; range 50000 60000; };
 </pre>
 <p>
              UDP ports of IPv6 messages sent
              from <span><strong class="command">named</strong></span> will be in one
              of the following ranges: 32768 to 39999, 40001 to 49999,
              and 60001 to 65535.
            </p>
 <p>
              <span><strong class="command">avoid-v4-udp-ports</strong></span> and
              <span><strong class="command">avoid-v6-udp-ports</strong></span> can be used
              to prevent <span><strong class="command">named</strong></span> from choosing as its random source port a
              port that is blocked by your firewall or a port that is
              used by other applications;
              if a query went out with a source port blocked by a
              firewall, the
              answer would not get by the firewall and the name server would
              have to query again.
              Note: the desired range can also be represented only with
              <span><strong class="command">use-v4-udp-ports</strong></span> and
              <span><strong class="command">use-v6-udp-ports</strong></span>, and the
              <span><strong class="command">avoid-</strong></span> options are redundant in that
              sense; they are provided for backward compatibility and
              to possibly simplify the port specification.
            </p>
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="id2585525"></a>Operating System Resource Limits</h4></div></div></div>
 <p>
             The server's usage of many system resources can be limited.
             Scaled values are allowed when specifying resource limits.  For
             example, <span><strong class="command">1G</strong></span> can be used instead of
             <span><strong class="command">1073741824</strong></span> to specify a limit of
             one
             gigabyte. <span><strong class="command">unlimited</strong></span> requests
             unlimited use, or the
             maximum available amount. <span><strong class="command">default</strong></span>
             uses the limit
             that was in force when the server was started. See the description
             of <span><strong class="command">size_spec</strong></span> in <a href="Bv9ARM.ch06.html#configuration_file_elements" title="Configuration File Elements">the section called &#8220;Configuration File Elements&#8221;</a>.
           </p>
 <p>
             The following options set operating system resource limits for
             the name server process.  Some operating systems don't support
             some or
             any of the limits. On such systems, a warning will be issued if
             the
             unsupported limit is used.
           </p>
 <div class="variablelist"><dl>
 <dt><span class="term"><span><strong class="command">coresize</strong></span></span></dt>
 <dd><p>
                   The maximum size of a core dump. The default
                   is <code class="literal">default</code>.
                 </p></dd>
 <dt><span class="term"><span><strong class="command">datasize</strong></span></span></dt>
 <dd><p>
                   The maximum amount of data memory the server
                   may use. The default is <code class="literal">default</code>.
                   This is a hard limit on server memory usage.
                   If the server attempts to allocate memory in excess of this
                   limit, the allocation will fail, which may in turn leave
                   the server unable to perform DNS service.  Therefore,
                   this option is rarely useful as a way of limiting the
                   amount of memory used by the server, but it can be used
                   to raise an operating system data size limit that is
                   too small by default.  If you wish to limit the amount
                   of memory used by the server, use the
                   <span><strong class="command">max-cache-size</strong></span> and
                   <span><strong class="command">recursive-clients</strong></span>
                   options instead.
                 </p></dd>
 <dt><span class="term"><span><strong class="command">files</strong></span></span></dt>
 <dd><p>
                   The maximum number of files the server
                   may have open concurrently. The default is <code class="literal">unlimited</code>.
                 </p></dd>
 <dt><span class="term"><span><strong class="command">stacksize</strong></span></span></dt>
 <dd><p>
                   The maximum amount of stack memory the server
                   may use. The default is <code class="literal">default</code>.
                 </p></dd>
 </dl></div>
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="server_resource_limits"></a>Server  Resource Limits</h4></div></div></div>
 <p>
             The following options set limits on the server's
             resource consumption that are enforced internally by the
             server rather than the operating system.
           </p>
 <div class="variablelist"><dl>
 <dt><span class="term"><span><strong class="command">max-ixfr-log-size</strong></span></span></dt>
 <dd><p>
                   This option is obsolete; it is accepted
                   and ignored for BIND 8 compatibility.  The option
                   <span><strong class="command">max-journal-size</strong></span> performs a
                   similar function in BIND 9.
                 </p></dd>
 <dt><span class="term"><span><strong class="command">max-journal-size</strong></span></span></dt>
 <dd><p>
                   Sets a maximum size for each journal file
                   (see <a href="Bv9ARM.ch04.html#journal" title="The journal file">the section called &#8220;The journal file&#8221;</a>).  When the journal file
                   approaches
                   the specified size, some of the oldest transactions in the
                   journal
                   will be automatically removed.  The largest permitted
                   value is 2 gigabytes. The default is
                   <code class="literal">unlimited</code>, which also
                   means 2 gigabytes.
                   This may also be set on a per-zone basis.
                 </p></dd>
 <dt><span class="term"><span><strong class="command">host-statistics-max</strong></span></span></dt>
 <dd><p>
                   In BIND 8, specifies the maximum number of host statistics
                   entries to be kept.
                   Not implemented in BIND 9.
                 </p></dd>
 <dt><span class="term"><span><strong class="command">recursive-clients</strong></span></span></dt>
 <dd><p>
                   The maximum number of simultaneous recursive lookups
                   the server will perform on behalf of clients.  The default
                   is
                   <code class="literal">1000</code>.  Because each recursing
                   client uses a fair
                   bit of memory, on the order of 20 kilobytes, the value of
                   the
                   <span><strong class="command">recursive-clients</strong></span> option may
                   have to be decreased
                   on hosts with limited memory.
                 </p></dd>
 <dt><span class="term"><span><strong class="command">tcp-clients</strong></span></span></dt>
 <dd><p>
                   The maximum number of simultaneous client TCP
                   connections that the server will accept.
                   The default is <code class="literal">100</code>.
                 </p></dd>
 <dt><span class="term"><span><strong class="command">reserved-sockets</strong></span></span></dt>
 <dd>
 <p>
                   The number of file descriptors reserved for TCP, stdio,
                   etc.  This needs to be big enough to cover the number of
                   interfaces <span><strong class="command">named</strong></span> listens on, <span><strong class="command">tcp-clients</strong></span> as well as
                   to provide room for outgoing TCP queries and incoming zone
                   transfers.  The default is <code class="literal">512</code>.
                   The minimum value is <code class="literal">128</code> and the
                   maximum value is <code class="literal">128</code> less than
                   maxsockets (-S).  This option may be removed in the future.
                 </p>
 <p>
                   This option has little effect on Windows.
                 </p>
 </dd>
 <dt><span class="term"><span><strong class="command">max-cache-size</strong></span></span></dt>
 <dd><p>
                   The maximum amount of memory to use for the
                   server's cache, in bytes.
                   When the amount of data in the cache
                   reaches this limit, the server will cause records to expire
                   prematurely based on an LRU based strategy so that
                   the limit is not exceeded.
                   A value of 0 is special, meaning that
                   records are purged from the cache only when their
                   TTLs expire.
                   Another special keyword <strong class="userinput"><code>unlimited</code></strong>
                   means the maximum value of 32-bit unsigned integers
                   (0xffffffff), which may not have the same effect as
                   0 on machines that support more than 32 bits of
                   memory space.
                   Any positive values less than 2MB will be ignored reset
                   to 2MB.
                   In a server with multiple views, the limit applies
                   separately to the cache of each view.
                   The default is 0.
                 </p></dd>
 <dt><span class="term"><span><strong class="command">tcp-listen-queue</strong></span></span></dt>
 <dd><p>
                   The listen queue depth.  The default and minimum is 10.
                   If the kernel supports the accept filter "dataready" this
                   also controls how
                   many TCP connections that will be queued in kernel space
                   waiting for
                   some data before being passed to accept.  Nonzero values
                   less than 10 will be silently raised. A value of 0 may also
                   be used; on most platforms this sets the listen queue 
                   length to a system-defined default value.
                 </p></dd>
 </dl></div>
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="id2585947"></a>Periodic Task Intervals</h4></div></div></div>
 <div class="variablelist"><dl>
 <dt><span class="term"><span><strong class="command">cleaning-interval</strong></span></span></dt>
 <dd><p>
                   This interval is effectively obsolete.  Previously,
                   the server would remove expired resource records
                   from the cache every <span><strong class="command">cleaning-interval</strong></span> minutes.
                   <acronym class="acronym">BIND</acronym> 9 now manages cache
                   memory in a more sophisticated manner and does not
                   rely on the periodic cleaning any more.
                   Specifying this option therefore has no effect on
                   the server's behavior.
                 </p></dd>
 <dt><span class="term"><span><strong class="command">heartbeat-interval</strong></span></span></dt>
 <dd><p>
                   The server will perform zone maintenance tasks
                   for all zones marked as <span><strong class="command">dialup</strong></span> whenever this
                   interval expires. The default is 60 minutes. Reasonable
                   values are up
                   to 1 day (1440 minutes).  The maximum value is 28 days
                   (40320 minutes).
                   If set to 0, no zone maintenance for these zones will occur.
                 </p></dd>
 <dt><span class="term"><span><strong class="command">interface-interval</strong></span></span></dt>
 <dd><p>
                   The server will scan the network interface list
                   every <span><strong class="command">interface-interval</strong></span>
                   minutes. The default
                   is 60 minutes. The maximum value is 28 days (40320 minutes).
                   If set to 0, interface scanning will only occur when
                   the configuration file is  loaded. After the scan, the
                   server will
                   begin listening for queries on any newly discovered
                   interfaces (provided they are allowed by the
                   <span><strong class="command">listen-on</strong></span> configuration), and
                   will
                   stop listening on interfaces that have gone away.
                 </p></dd>
 <dt><span class="term"><span><strong class="command">statistics-interval</strong></span></span></dt>
 <dd>
 <p>
                   Name server statistics will be logged
                   every <span><strong class="command">statistics-interval</strong></span>
                   minutes. The default is
                   60. The maximum value is 28 days (40320 minutes).
                   If set to 0, no statistics will be logged.
                   </p>
 <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
 <h3 class="title">Note</h3>
 <p>
                     Not yet implemented in
                     <acronym class="acronym">BIND</acronym> 9.
                   </p>
 </div>
 </dd>
 </dl></div>
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="topology"></a>Topology</h4></div></div></div>
 <p>
             All other things being equal, when the server chooses a name
             server
             to query from a list of name servers, it prefers the one that is
             topologically closest to itself. The <span><strong class="command">topology</strong></span> statement
             takes an <span><strong class="command">address_match_list</strong></span> and
             interprets it
             in a special way. Each top-level list element is assigned a
             distance.
             Non-negated elements get a distance based on their position in the
             list, where the closer the match is to the start of the list, the
             shorter the distance is between it and the server. A negated match
             will be assigned the maximum distance from the server. If there
             is no match, the address will get a distance which is further than
             any non-negated list element, and closer than any negated element.
             For example,
           </p>
 <pre class="programlisting">topology {
     10/8;
     !1.2.3/24;
     { 1.2/16; 3/8; };
 };</pre>
 <p>
             will prefer servers on network 10 the most, followed by hosts
             on network 1.2.0.0 (netmask 255.255.0.0) and network 3, with the
             exception of hosts on network 1.2.3 (netmask 255.255.255.0), which
             is preferred least of all.
           </p>
 <p>
             The default topology is
           </p>
 <pre class="programlisting">    topology { localhost; localnets; };
 </pre>
 <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
 <h3 class="title">Note</h3>
 <p>
               The <span><strong class="command">topology</strong></span> option
               is not implemented in <acronym class="acronym">BIND</acronym> 9.
             </p>
 </div>
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="the_sortlist_statement"></a>The <span><strong class="command">sortlist</strong></span> Statement</h4></div></div></div>
 <p>
             The response to a DNS query may consist of multiple resource
             records (RRs) forming a resource records set (RRset).
             The name server will normally return the
             RRs within the RRset in an indeterminate order
             (but see the <span><strong class="command">rrset-order</strong></span>
             statement in <a href="Bv9ARM.ch06.html#rrset_ordering" title="RRset Ordering">the section called &#8220;RRset Ordering&#8221;</a>).
             The client resolver code should rearrange the RRs as appropriate,
             that is, using any addresses on the local net in preference to
             other addresses.
             However, not all resolvers can do this or are correctly
             configured.
             When a client is using a local server, the sorting can be performed
             in the server, based on the client's address. This only requires
             configuring the name servers, not all the clients.
           </p>
 <p>
             The <span><strong class="command">sortlist</strong></span> statement (see below)
             takes
             an <span><strong class="command">address_match_list</strong></span> and
             interprets it even
             more specifically than the <span><strong class="command">topology</strong></span>
             statement
             does (<a href="Bv9ARM.ch06.html#topology" title="Topology">the section called &#8220;Topology&#8221;</a>).
             Each top level statement in the <span><strong class="command">sortlist</strong></span> must
             itself be an explicit <span><strong class="command">address_match_list</strong></span> with
             one or two elements. The first element (which may be an IP
             address,
             an IP prefix, an ACL name or a nested <span><strong class="command">address_match_list</strong></span>)
             of each top level list is checked against the source address of
             the query until a match is found.
           </p>
 <p>
             Once the source address of the query has been matched, if
             the top level statement contains only one element, the actual
             primitive
             element that matched the source address is used to select the
             address
             in the response to move to the beginning of the response. If the
             statement is a list of two elements, then the second element is
             treated the same as the <span><strong class="command">address_match_list</strong></span> in
             a <span><strong class="command">topology</strong></span> statement. Each top
             level element
             is assigned a distance and the address in the response with the
             minimum
             distance is moved to the beginning of the response.
           </p>
 <p>
             In the following example, any queries received from any of
             the addresses of the host itself will get responses preferring
             addresses
             on any of the locally connected networks. Next most preferred are
             addresses
             on the 192.168.1/24 network, and after that either the
             192.168.2/24
             or
             192.168.3/24 network with no preference shown between these two
             networks. Queries received from a host on the 192.168.1/24 network
             will prefer other addresses on that network to the 192.168.2/24
             and
             192.168.3/24 networks. Queries received from a host on the
             192.168.4/24
             or the 192.168.5/24 network will only prefer other addresses on
             their directly connected networks.
           </p>
 <pre class="programlisting">sortlist {
     // IF the local host
     // THEN first fit on the following nets
     { localhost;
         { localnets;
             192.168.1/24;
             { 192.168.2/24; 192.168.3/24; }; }; };
     // IF on class C 192.168.1 THEN use .1, or .2 or .3
     { 192.168.1/24;
         { 192.168.1/24;
             { 192.168.2/24; 192.168.3/24; }; }; };
     // IF on class C 192.168.2 THEN use .2, or .1 or .3
     { 192.168.2/24;
         { 192.168.2/24;
             { 192.168.1/24; 192.168.3/24; }; }; };
     // IF on class C 192.168.3 THEN use .3, or .1 or .2
     { 192.168.3/24;
         { 192.168.3/24;
             { 192.168.1/24; 192.168.2/24; }; }; };
     // IF .4 or .5 THEN prefer that net
     { { 192.168.4/24; 192.168.5/24; };
     };
 };</pre>
 <p>
             The following example will give reasonable behavior for the
             local host and hosts on directly connected networks. It is similar
             to the behavior of the address sort in <acronym class="acronym">BIND</acronym> 4.9.x. Responses sent
             to queries from the local host will favor any of the directly
             connected
             networks. Responses sent to queries from any other hosts on a
             directly
             connected network will prefer addresses on that same network.
             Responses
             to other queries will not be sorted.
           </p>
 <pre class="programlisting">sortlist {
            { localhost; localnets; };
            { localnets; };
 };
 </pre>
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="rrset_ordering"></a>RRset Ordering</h4></div></div></div>
 <p>
             When multiple records are returned in an answer it may be
             useful to configure the order of the records placed into the
             response.
             The <span><strong class="command">rrset-order</strong></span> statement permits
             configuration
             of the ordering of the records in a multiple record response.
             See also the <span><strong class="command">sortlist</strong></span> statement,
             <a href="Bv9ARM.ch06.html#the_sortlist_statement" title="The sortlist Statement">the section called &#8220;The <span><strong class="command">sortlist</strong></span> Statement&#8221;</a>.
           </p>
 <p>
             An <span><strong class="command">order_spec</strong></span> is defined as
             follows:
           </p>
 <p>
             [<span class="optional">class <em class="replaceable"><code>class_name</code></em></span>]
             [<span class="optional">type <em class="replaceable"><code>type_name</code></em></span>]
             [<span class="optional">name <em class="replaceable"><code>"domain_name"</code></em></span>]
             order <em class="replaceable"><code>ordering</code></em>
           </p>
 <p>
             If no class is specified, the default is <span><strong class="command">ANY</strong></span>.
             If no type is specified, the default is <span><strong class="command">ANY</strong></span>.
             If no name is specified, the default is "<span><strong class="command">*</strong></span>" (asterisk).
           </p>
 <p>
             The legal values for <span><strong class="command">ordering</strong></span> are:
           </p>
 <div class="informaltable"><table border="1">
 <colgroup>
 <col>
 <col>
 </colgroup>
 <tbody>
 <tr>
 <td>
                     <p><span><strong class="command">fixed</strong></span></p>
                   </td>
 <td>
                     <p>
                       Records are returned in the order they
                       are defined in the zone file.
                     </p>
                   </td>
 </tr>
 <tr>
 <td>
                     <p><span><strong class="command">random</strong></span></p>
                   </td>
 <td>
                     <p>
                       Records are returned in some random order.
                     </p>
                   </td>
 </tr>
 <tr>
 <td>
                     <p><span><strong class="command">cyclic</strong></span></p>
                   </td>
 <td>
                     <p>
                       Records are returned in a cyclic round-robin order.
                     </p>
                     <p>
                       If <acronym class="acronym">BIND</acronym> is configured with the
                       "--enable-fixed-rrset" option at compile time, then
                       the initial ordering of the RRset will match the
                       one specified in the zone file.
                     </p>
                   </td>
 </tr>
 </tbody>
 </table></div>
 <p>
             For example:
           </p>
 <pre class="programlisting">rrset-order {
    class IN type A name "host.example.com" order random;
    order cyclic;
 };
 </pre>
 <p>
             will cause any responses for type A records in class IN that
             have "<code class="literal">host.example.com</code>" as a
             suffix, to always be returned
             in random order. All other records are returned in cyclic order.
           </p>
 <p>
             If multiple <span><strong class="command">rrset-order</strong></span> statements
             appear, they are not combined &#8212; the last one applies.
           </p>
 <p>
             By default, all records are returned in random order.
           </p>
 <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
 <h3 class="title">Note</h3>
 <p>
               In this release of <acronym class="acronym">BIND</acronym> 9, the
               <span><strong class="command">rrset-order</strong></span> statement does not support
               "fixed" ordering by default.  Fixed ordering can be enabled
               at compile time by specifying "--enable-fixed-rrset" on
               the "configure" command line.
             </p>
 </div>
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="tuning"></a>Tuning</h4></div></div></div>
 <div class="variablelist"><dl>
 <dt><span class="term"><span><strong class="command">lame-ttl</strong></span></span></dt>
 <dd>
 <p>
                   Sets the number of seconds to cache a
                   lame server indication. 0 disables caching. (This is
                   <span class="bold"><strong>NOT</strong></span> recommended.)
                   The default is <code class="literal">600</code> (10 minutes) and the
                   maximum value is
                   <code class="literal">1800</code> (30 minutes).
                 </p>
 <p>
                   Lame-ttl also controls the amount of time DNSSEC
                   validation failures are cached.  There is a minimum
                   of 30 seconds applied to bad cache entries if the
                   lame-ttl is set to less than 30 seconds.
                 </p>
 </dd>
 <dt><span class="term"><span><strong class="command">max-ncache-ttl</strong></span></span></dt>
 <dd><p>
                   To reduce network traffic and increase performance,
                   the server stores negative answers. <span><strong class="command">max-ncache-ttl</strong></span> is
                   used to set a maximum retention time for these answers in
                   the server
                   in seconds. The default
                   <span><strong class="command">max-ncache-ttl</strong></span> is <code class="literal">10800</code> seconds (3 hours).
                   <span><strong class="command">max-ncache-ttl</strong></span> cannot exceed
                   7 days and will
                   be silently truncated to 7 days if set to a greater value.
                 </p></dd>
 <dt><span class="term"><span><strong class="command">max-cache-ttl</strong></span></span></dt>
 <dd><p>
                   Sets the maximum time for which the server will
                   cache ordinary (positive) answers. The default is
                   one week (7 days).
                   A value of zero may cause all queries to return
                   SERVFAIL, because of lost caches of intermediate
                   RRsets (such as NS and glue AAAA/A records) in the
                   resolution process.
                 </p></dd>
 <dt><span class="term"><span><strong class="command">min-roots</strong></span></span></dt>
 <dd>
 <p>
                   The minimum number of root servers that
                   is required for a request for the root servers to be
                   accepted. The default
                   is <strong class="userinput"><code>2</code></strong>.
                 </p>
 <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
 <h3 class="title">Note</h3>
 <p>
                     Not implemented in <acronym class="acronym">BIND</acronym> 9.
                   </p>
 </div>
 </dd>
 <dt><span class="term"><span><strong class="command">sig-validity-interval</strong></span></span></dt>
 <dd>
 <p>
                   Specifies the number of days into the future when
                   DNSSEC signatures automatically generated as a
                   result of dynamic updates (<a href="Bv9ARM.ch04.html#dynamic_update" title="Dynamic Update">the section called &#8220;Dynamic Update&#8221;</a>) will expire.  There
                   is an optional second field which specifies how
                   long before expiry that the signatures will be
                   regenerated.  If not specified, the signatures will
                   be regenerated at 1/4 of base interval.  The second
                   field is specified in days if the base interval is
                   greater than 7 days otherwise it is specified in hours.
                   The default base interval is <code class="literal">30</code> days
                   giving a re-signing interval of 7 1/2 days.  The maximum
                   values are 10 years (3660 days).
                 </p>
 <p>
                   The signature inception time is unconditionally
                   set to one hour before the current time to allow
                   for a limited amount of clock skew.
                 </p>
 <p>
                   The <span><strong class="command">sig-validity-interval</strong></span>
                   should be, at least, several multiples of the SOA
                   expire interval to allow for reasonable interaction
                   between the various timer and expiry dates.
                 </p>
 </dd>
 <dt><span class="term"><span><strong class="command">sig-signing-nodes</strong></span></span></dt>
 <dd><p>
                   Specify the maximum number of nodes to be
                   examined in each quantum when signing a zone with
                   a new DNSKEY. The default is
                   <code class="literal">100</code>.
                 </p></dd>
 <dt><span class="term"><span><strong class="command">sig-signing-signatures</strong></span></span></dt>
 <dd><p>
                   Specify a threshold number of signatures that
                   will terminate processing a quantum when signing
                   a zone with a new DNSKEY.  The default is
                   <code class="literal">10</code>.
                 </p></dd>
 <dt><span class="term"><span><strong class="command">sig-signing-type</strong></span></span></dt>
 <dd>
 <p>
                   Specify a private RDATA type to be used when generating
                   signing state records.  The default is
                   <code class="literal">65534</code>.
                 </p>
 <p>
                   It is expected that this parameter may be removed
                   in a future version once there is a standard type.
                 </p>
 <p>
                   Signing state records are used to internally by
                   <span><strong class="command">named</strong></span> to track the current state of
                   a zone-signing process, i.e., whether it is still active
                   or has been completed.  The records can be inspected
                   using the command
                   <span><strong class="command">rndc signing -list <em class="replaceable"><code>zone</code></em></strong></span>.
                   Once <span><strong class="command">named</strong></span> has finished signing
                   a zone with a particular key, the signing state
                   record associated with that key can be removed from
                   the zone by running
                   <span><strong class="command">rndc signing -clear <em class="replaceable"><code>keyid/algorithm</code></em> <em class="replaceable"><code>zone</code></em></strong></span>.
                   To clear all of the completed signing state
                   records for a zone, use
                   <span><strong class="command">rndc signing -clear all <em class="replaceable"><code>zone</code></em></strong></span>.
                 </p>
 </dd>
 <dt>
 <span class="term"><span><strong class="command">min-refresh-time</strong></span>, </span><span class="term"><span><strong class="command">max-refresh-time</strong></span>, </span><span class="term"><span><strong class="command">min-retry-time</strong></span>, </span><span class="term"><span><strong class="command">max-retry-time</strong></span></span>
 </dt>
 <dd>
 <p>
                   These options control the server's behavior on refreshing a
                   zone
                   (querying for SOA changes) or retrying failed transfers.
                   Usually the SOA values for the zone are used, but these
                   values
                   are set by the master, giving slave server administrators
                   little
                   control over their contents.
                 </p>
 <p>
                   These options allow the administrator to set a minimum and
                   maximum
                   refresh and retry time either per-zone, per-view, or
                   globally.
                   These options are valid for slave and stub zones,
                   and clamp the SOA refresh and retry times to the specified
                   values.
                 </p>
 <p>
                   The following defaults apply.
                   <span><strong class="command">min-refresh-time</strong></span> 300 seconds,
                   <span><strong class="command">max-refresh-time</strong></span> 2419200 seconds
                   (4 weeks), <span><strong class="command">min-retry-time</strong></span> 500 seconds,
                   and <span><strong class="command">max-retry-time</strong></span> 1209600 seconds
                   (2 weeks).
                 </p>
 </dd>
 <dt><span class="term"><span><strong class="command">edns-udp-size</strong></span></span></dt>
 <dd>
 <p>
                   Sets the advertised EDNS UDP buffer size in bytes
                   to control the size of packets received.
                   Valid values are 512 to 4096 (values outside this range
                   will be silently adjusted).  The default value
                   is 4096.  The usual reason for setting
                   <span><strong class="command">edns-udp-size</strong></span> to a non-default
                   value is to get UDP answers to pass through broken
                   firewalls that block fragmented packets and/or
                   block UDP packets that are greater than 512 bytes.
                 </p>
 <p>
                   <span><strong class="command">named</strong></span> will fallback to using 512 bytes
                   if it get a series of timeout at the initial value.  512
                   bytes is not being offered to encourage sites to fix their
                   firewalls.  Small EDNS UDP sizes will result in the
                   excessive use of TCP.
                 </p>
 </dd>
 <dt><span class="term"><span><strong class="command">max-udp-size</strong></span></span></dt>
 <dd>
 <p>
                   Sets the maximum EDNS UDP message size
                   <span><strong class="command">named</strong></span> will send in bytes.
                   Valid values are 512 to 4096 (values outside this
                   range will be silently adjusted).  The default
                   value is 4096.  The usual reason for setting
                   <span><strong class="command">max-udp-size</strong></span> to a non-default
                   value is to get UDP answers to pass through broken
                   firewalls that block fragmented packets and/or
                   block UDP packets that are greater than 512 bytes.
                   This is independent of the advertised receive
                   buffer (<span><strong class="command">edns-udp-size</strong></span>).
                 </p>
 <p>
                   Setting this to a low value will encourage additional
                   TCP traffic to the nameserver.
                 </p>
 </dd>
 <dt><span class="term"><span><strong class="command">masterfile-format</strong></span></span></dt>
 <dd>
 <p>Specifies
                   the file format of zone files (see
                   <a href="Bv9ARM.ch06.html#zonefile_format" title="Additional File Formats">the section called &#8220;Additional File Formats&#8221;</a>).
                   The default value is <code class="constant">text</code>, which is the
                   standard textual representation, except for slave zones,
                   in which the default value is <code class="constant">raw</code>.
                   Files in other formats than <code class="constant">text</code> are
                   typically expected to be generated by the
                   <span><strong class="command">named-compilezone</strong></span> tool, or dumped by
                   <span><strong class="command">named</strong></span>.
                 </p>
 <p>
                   Note that when a zone file in a different format than
                   <code class="constant">text</code> is loaded, <span><strong class="command">named</strong></span>
                   may omit some of the checks which would be performed for a
                   file in the <code class="constant">text</code> format.  In particular,
                   <span><strong class="command">check-names</strong></span> checks do not apply
                   for the <code class="constant">raw</code> format.  This means
                   a zone file in the <code class="constant">raw</code> format
                   must be generated with the same check level as that
                   specified in the <span><strong class="command">named</strong></span> configuration
                   file.  This statement sets the
                   <span><strong class="command">masterfile-format</strong></span> for all zones,
                   but can be overridden on a per-zone or per-view basis
                   by including a <span><strong class="command">masterfile-format</strong></span>
                   statement within the <span><strong class="command">zone</strong></span> or
                   <span><strong class="command">view</strong></span> block in the configuration
                   file.
                 </p>
 </dd>
 <dt>
 <a name="clients-per-query"></a><span class="term"><span><strong class="command">clients-per-query</strong></span>, </span><span class="term"><span><strong class="command">max-clients-per-query</strong></span></span>
 </dt>
 <dd>
 <p>These set the
                   initial value (minimum) and maximum number of recursive
                   simultaneous clients for any given query
                   (&lt;qname,qtype,qclass&gt;) that the server will accept
                   before dropping additional clients.  <span><strong class="command">named</strong></span> will attempt to
                   self tune this value and changes will be logged.  The
                   default values are 10 and 100.
                 </p>
 <p>
                   This value should reflect how many queries come in for
                   a given name in the time it takes to resolve that name.
                   If the number of queries exceed this value, <span><strong class="command">named</strong></span> will
                   assume that it is dealing with a non-responsive zone
                   and will drop additional queries.  If it gets a response
                   after dropping queries, it will raise the estimate.  The
                   estimate will then be lowered in 20 minutes if it has
                   remained unchanged.
                 </p>
 <p>
                   If <span><strong class="command">clients-per-query</strong></span> is set to zero,
                   then there is no limit on the number of clients per query
                   and no queries will be dropped.
                 </p>
 <p>
                   If <span><strong class="command">max-clients-per-query</strong></span> is set to zero,
                   then there is no upper bound other than imposed by
                   <span><strong class="command">recursive-clients</strong></span>.
                 </p>
 </dd>
 <dt>
 <a name="max-recursion-depth"></a><span class="term"><span><strong class="command">max-recursion-depth</strong></span></span>
 </dt>
 <dd><p>
                   Sets the maximum number of levels of recursion
                   that are permitted at any one time while servicing
                   a recursive query. Resolving a name may require
                   looking up a name server address, which in turn
                   requires resolving another name, etc; if the number
                   of indirections exceeds this value, the recursive
                   query is terminated and returns SERVFAIL.  The
                   default is 7.
                 </p></dd>
 <dt>
 <a name="max-recursion-queries"></a><span class="term"><span><strong class="command">max-recursion-queries</strong></span></span>
 </dt>
 <dd><p>
                   Sets the maximum number of iterative queries that
                   may be sent while servicing a recursive query.
                   If more queries are sent, the recursive query
                   is terminated and returns SERVFAIL. Queries to
                   look up top level comains such as "com" and "net"
                   and the DNS root zone are exempt from this limitation.
                   The default is 50.
                 </p></dd>
 <dt><span class="term"><span><strong class="command">notify-delay</strong></span></span></dt>
 <dd>
 <p>
                   The delay, in seconds, between sending sets of notify
                   messages for a zone.  The default is five (5) seconds.
                 </p>
 <p>
                   The overall rate that NOTIFY messages are sent for all
                   zones is controlled by <span><strong class="command">serial-query-rate</strong></span>.
                 </p>
 </dd>
 <dt><span class="term"><span><strong class="command">max-rsa-exponent-size</strong></span></span></dt>
 <dd><p>
                   The maximum RSA exponent size, in bits, that will
                   be accepted when validating.  Valid values are 35
                   to 4096 bits.  The default zero (0) is also accepted
                   and is equivalent to 4096.
                 </p></dd>
 </dl></div>
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="builtin"></a>Built-in server information zones</h4></div></div></div>
 <p>
             The server provides some helpful diagnostic information
             through a number of built-in zones under the
             pseudo-top-level-domain <code class="literal">bind</code> in the
             <span><strong class="command">CHAOS</strong></span> class.  These zones are part
             of a
             built-in view (see <a href="Bv9ARM.ch06.html#view_statement_grammar" title="view Statement Grammar">the section called &#8220;<span><strong class="command">view</strong></span> Statement Grammar&#8221;</a>) of
             class
             <span><strong class="command">CHAOS</strong></span> which is separate from the
             default view of class <span><strong class="command">IN</strong></span>. Most global
             configuration options (<span><strong class="command">allow-query</strong></span>,
             etc) will apply to this view, but some are locally
             overridden: <span><strong class="command">notify</strong></span>,
             <span><strong class="command">recursion</strong></span> and
             <span><strong class="command">allow-new-zones</strong></span> are
             always set to <strong class="userinput"><code>no</code></strong>.
           </p>
 <p>
             If you need to disable these zones, use the options
             below, or hide the built-in <span><strong class="command">CHAOS</strong></span>
             view by
             defining an explicit view of class <span><strong class="command">CHAOS</strong></span>
             that matches all clients.
           </p>
 <div class="variablelist"><dl>
 <dt><span class="term"><span><strong class="command">version</strong></span></span></dt>
 <dd><p>
                   The version the server should report
                   via a query of the name <code class="literal">version.bind</code>
                   with type <span><strong class="command">TXT</strong></span>, class <span><strong class="command">CHAOS</strong></span>.
                   The default is the real version number of this server.
                   Specifying <span><strong class="command">version none</strong></span>
                   disables processing of the queries.
                 </p></dd>
 <dt><span class="term"><span><strong class="command">hostname</strong></span></span></dt>
 <dd><p>
                   The hostname the server should report via a query of
                   the name <code class="filename">hostname.bind</code>
                   with type <span><strong class="command">TXT</strong></span>, class <span><strong class="command">CHAOS</strong></span>.
                   This defaults to the hostname of the machine hosting the
                   name server as
                   found by the gethostname() function.  The primary purpose of such queries
                   is to
                   identify which of a group of anycast servers is actually
                   answering your queries.  Specifying <span><strong class="command">hostname none;</strong></span>
                   disables processing of the queries.
                 </p></dd>
 <dt><span class="term"><span><strong class="command">server-id</strong></span></span></dt>
 <dd><p>
                   The ID the server should report when receiving a Name
                   Server Identifier (NSID) query, or a query of the name
                   <code class="filename">ID.SERVER</code> with type
                   <span><strong class="command">TXT</strong></span>, class <span><strong class="command">CHAOS</strong></span>.
                   The primary purpose of such queries is to
                   identify which of a group of anycast servers is actually
                   answering your queries.  Specifying <span><strong class="command">server-id none;</strong></span>
                   disables processing of the queries.
                   Specifying <span><strong class="command">server-id hostname;</strong></span> will cause <span><strong class="command">named</strong></span> to
                   use the hostname as found by the gethostname() function.
                   The default <span><strong class="command">server-id</strong></span> is <span><strong class="command">none</strong></span>.
                 </p></dd>
 </dl></div>
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="empty"></a>Built-in Empty Zones</h4></div></div></div>
 <p>
             Named has some built-in empty zones (SOA and NS records only).
             These are for zones that should normally be answered locally
             and which queries should not be sent to the Internet's root
             servers.  The official servers which cover these namespaces
             return NXDOMAIN responses to these queries.  In particular,
             these cover the reverse namespaces for addresses from
             RFC 1918, RFC 4193, RFC 5737 and RFC 6598.  They also include the
             reverse namespace for IPv6 local address (locally assigned),
             IPv6 link local addresses, the IPv6 loopback address and the
             IPv6 unknown address.
           </p>
 <p>
             Named will attempt to determine if a built-in zone already exists
             or is active (covered by a forward-only forwarding declaration)
             and will not create an empty zone in that case.
           </p>
 <p>
             The current list of empty zones is:
             </p>
 <div class="itemizedlist"><ul type="disc">
 <li>10.IN-ADDR.ARPA</li>
 <li>16.172.IN-ADDR.ARPA</li>
 <li>17.172.IN-ADDR.ARPA</li>
 <li>18.172.IN-ADDR.ARPA</li>
 <li>19.172.IN-ADDR.ARPA</li>
 <li>20.172.IN-ADDR.ARPA</li>
 <li>21.172.IN-ADDR.ARPA</li>
 <li>22.172.IN-ADDR.ARPA</li>
 <li>23.172.IN-ADDR.ARPA</li>
 <li>24.172.IN-ADDR.ARPA</li>
 <li>25.172.IN-ADDR.ARPA</li>
 <li>26.172.IN-ADDR.ARPA</li>
 <li>27.172.IN-ADDR.ARPA</li>
 <li>28.172.IN-ADDR.ARPA</li>
 <li>29.172.IN-ADDR.ARPA</li>
 <li>30.172.IN-ADDR.ARPA</li>
 <li>31.172.IN-ADDR.ARPA</li>
 <li>168.192.IN-ADDR.ARPA</li>
 <li>64.100.IN-ADDR.ARPA</li>
 <li>65.100.IN-ADDR.ARPA</li>
 <li>66.100.IN-ADDR.ARPA</li>
 <li>67.100.IN-ADDR.ARPA</li>
 <li>68.100.IN-ADDR.ARPA</li>
 <li>69.100.IN-ADDR.ARPA</li>
 <li>70.100.IN-ADDR.ARPA</li>
 <li>71.100.IN-ADDR.ARPA</li>
 <li>72.100.IN-ADDR.ARPA</li>
 <li>73.100.IN-ADDR.ARPA</li>
 <li>74.100.IN-ADDR.ARPA</li>
 <li>75.100.IN-ADDR.ARPA</li>
 <li>76.100.IN-ADDR.ARPA</li>
 <li>77.100.IN-ADDR.ARPA</li>
 <li>78.100.IN-ADDR.ARPA</li>
 <li>79.100.IN-ADDR.ARPA</li>
 <li>80.100.IN-ADDR.ARPA</li>
 <li>81.100.IN-ADDR.ARPA</li>
 <li>82.100.IN-ADDR.ARPA</li>
 <li>83.100.IN-ADDR.ARPA</li>
 <li>84.100.IN-ADDR.ARPA</li>
 <li>85.100.IN-ADDR.ARPA</li>
 <li>86.100.IN-ADDR.ARPA</li>
 <li>87.100.IN-ADDR.ARPA</li>
 <li>88.100.IN-ADDR.ARPA</li>
 <li>89.100.IN-ADDR.ARPA</li>
 <li>90.100.IN-ADDR.ARPA</li>
 <li>91.100.IN-ADDR.ARPA</li>
 <li>92.100.IN-ADDR.ARPA</li>
 <li>93.100.IN-ADDR.ARPA</li>
 <li>94.100.IN-ADDR.ARPA</li>
 <li>95.100.IN-ADDR.ARPA</li>
 <li>96.100.IN-ADDR.ARPA</li>
 <li>97.100.IN-ADDR.ARPA</li>
 <li>98.100.IN-ADDR.ARPA</li>
 <li>99.100.IN-ADDR.ARPA</li>
 <li>100.100.IN-ADDR.ARPA</li>
 <li>101.100.IN-ADDR.ARPA</li>
 <li>102.100.IN-ADDR.ARPA</li>
 <li>103.100.IN-ADDR.ARPA</li>
 <li>104.100.IN-ADDR.ARPA</li>
 <li>105.100.IN-ADDR.ARPA</li>
 <li>106.100.IN-ADDR.ARPA</li>
 <li>107.100.IN-ADDR.ARPA</li>
 <li>108.100.IN-ADDR.ARPA</li>
 <li>109.100.IN-ADDR.ARPA</li>
 <li>110.100.IN-ADDR.ARPA</li>
 <li>111.100.IN-ADDR.ARPA</li>
 <li>112.100.IN-ADDR.ARPA</li>
 <li>113.100.IN-ADDR.ARPA</li>
 <li>114.100.IN-ADDR.ARPA</li>
 <li>115.100.IN-ADDR.ARPA</li>
 <li>116.100.IN-ADDR.ARPA</li>
 <li>117.100.IN-ADDR.ARPA</li>
 <li>118.100.IN-ADDR.ARPA</li>
 <li>119.100.IN-ADDR.ARPA</li>
 <li>120.100.IN-ADDR.ARPA</li>
 <li>121.100.IN-ADDR.ARPA</li>
 <li>122.100.IN-ADDR.ARPA</li>
 <li>123.100.IN-ADDR.ARPA</li>
 <li>124.100.IN-ADDR.ARPA</li>
 <li>125.100.IN-ADDR.ARPA</li>
 <li>126.100.IN-ADDR.ARPA</li>
 <li>127.100.IN-ADDR.ARPA</li>
 <li>0.IN-ADDR.ARPA</li>
 <li>127.IN-ADDR.ARPA</li>
 <li>254.169.IN-ADDR.ARPA</li>
 <li>2.0.192.IN-ADDR.ARPA</li>
 <li>100.51.198.IN-ADDR.ARPA</li>
 <li>113.0.203.IN-ADDR.ARPA</li>
 <li>255.255.255.255.IN-ADDR.ARPA</li>
 <li>0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA</li>
 <li>1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA</li>
 <li>8.B.D.0.1.0.0.2.IP6.ARPA</li>
 <li>D.F.IP6.ARPA</li>
 <li>8.E.F.IP6.ARPA</li>
 <li>9.E.F.IP6.ARPA</li>
 <li>A.E.F.IP6.ARPA</li>
 <li>B.E.F.IP6.ARPA</li>
 </ul></div>
 <p>
           </p>
 <p>
             Empty zones are settable at the view level and only apply to
             views of class IN.  Disabled empty zones are only inherited
             from options if there are no disabled empty zones specified
             at the view level.  To override the options list of disabled
             zones, you can disable the root zone at the view level, for example:
 </p>
 <pre class="programlisting">
             disable-empty-zone ".";
 </pre>
 <p>
           </p>
 <p>
             If you are using the address ranges covered here, you should
             already have reverse zones covering the addresses you use.
             In practice this appears to not be the case with many queries
             being made to the infrastructure servers for names in these
             spaces.  So many in fact that sacrificial servers were needed
             to be deployed to channel the query load away from the
             infrastructure servers.
           </p>
 <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
 <h3 class="title">Note</h3>
             The real parent servers for these zones should disable all
             empty zone under the parent zone they serve.  For the real
             root servers, this is all built-in empty zones.  This will
             enable them to return referrals to deeper in the tree.
           </div>
 <div class="variablelist"><dl>
 <dt><span class="term"><span><strong class="command">empty-server</strong></span></span></dt>
 <dd><p>
                   Specify what server name will appear in the returned
                   SOA record for empty zones.  If none is specified, then
                   the zone's name will be used.
                 </p></dd>
 <dt><span class="term"><span><strong class="command">empty-contact</strong></span></span></dt>
 <dd><p>
                   Specify what contact name will appear in the returned
                   SOA record for empty zones.  If none is specified, then
                   "." will be used.
                 </p></dd>
 <dt><span class="term"><span><strong class="command">empty-zones-enable</strong></span></span></dt>
 <dd><p>
                   Enable or disable all empty zones.  By default, they
                   are enabled.
                 </p></dd>
 <dt><span class="term"><span><strong class="command">disable-empty-zone</strong></span></span></dt>
 <dd><p>
                   Disable individual empty zones.  By default, none are
                   disabled.  This option can be specified multiple times.
                 </p></dd>
 </dl></div>
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="acache"></a>Additional Section Caching</h4></div></div></div>
 <p>
             The additional section cache, also called <span><strong class="command">acache</strong></span>,
             is an internal cache to improve the response performance of BIND 9.
             When additional section caching is enabled, BIND 9 will
             cache an internal short-cut to the additional section content for
             each answer RR.
             Note that <span><strong class="command">acache</strong></span> is an internal caching
             mechanism of BIND 9, and is not related to the DNS caching
             server function.
           </p>
 <p>
             Additional section caching does not change the
             response content (except the RRsets ordering of the additional
             section, see below), but can improve the response performance
             significantly.
             It is particularly effective when BIND 9 acts as an authoritative
             server for a zone that has many delegations with many glue RRs.
           </p>
 <p>
             In order to obtain the maximum performance improvement
             from additional section caching, setting
             <span><strong class="command">additional-from-cache</strong></span>
             to <span><strong class="command">no</strong></span> is recommended, since the current
             implementation of <span><strong class="command">acache</strong></span>
             does not short-cut of additional section information from the
             DNS cache data.
           </p>
 <p>
             One obvious disadvantage of <span><strong class="command">acache</strong></span> is
             that it requires much more
             memory for the internal cached data.
             Thus, if the response performance does not matter and memory
             consumption is much more critical, the
             <span><strong class="command">acache</strong></span> mechanism can be
             disabled by setting <span><strong class="command">acache-enable</strong></span> to
             <span><strong class="command">no</strong></span>.
             It is also possible to specify the upper limit of memory
             consumption
             for acache by using <span><strong class="command">max-acache-size</strong></span>.
           </p>
 <p>
             Additional section caching also has a minor effect on the
             RRset ordering in the additional section.
             Without <span><strong class="command">acache</strong></span>,
             <span><strong class="command">cyclic</strong></span> order is effective for the additional
             section as well as the answer and authority sections.
             However, additional section caching fixes the ordering when it
             first caches an RRset for the additional section, and the same
             ordering will be kept in succeeding responses, regardless of the
             setting of <span><strong class="command">rrset-order</strong></span>.
             The effect of this should be minor, however, since an
             RRset in the additional section
             typically only contains a small number of RRs (and in many cases
             it only contains a single RR), in which case the
             ordering does not matter much.
           </p>
 <p>
             The following is a summary of options related to
             <span><strong class="command">acache</strong></span>.
           </p>
 <div class="variablelist"><dl>
 <dt><span class="term"><span><strong class="command">acache-enable</strong></span></span></dt>
 <dd><p>
                   If <span><strong class="command">yes</strong></span>, additional section caching is
                   enabled.  The default value is <span><strong class="command">no</strong></span>.
                 </p></dd>
 <dt><span class="term"><span><strong class="command">acache-cleaning-interval</strong></span></span></dt>
 <dd><p>
                   The server will remove stale cache entries, based on an LRU
                   based
                   algorithm, every <span><strong class="command">acache-cleaning-interval</strong></span> minutes.
                   The default is 60 minutes.
                   If set to 0, no periodic cleaning will occur.
                 </p></dd>
 <dt><span class="term"><span><strong class="command">max-acache-size</strong></span></span></dt>
 <dd><p>
                   The maximum amount of memory in bytes to use for the server's acache.
                   When the amount of data in the acache reaches this limit,
                   the server
                   will clean more aggressively so that the limit is not
                   exceeded.
                   In a server with multiple views, the limit applies
                   separately to the
                   acache of each view.
                   The default is <code class="literal">16M</code>.
                 </p></dd>
 </dl></div>
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="id2588571"></a>Content Filtering</h4></div></div></div>
 <p>
             <acronym class="acronym">BIND</acronym> 9 provides the ability to filter
             out DNS responses from external DNS servers containing
             certain types of data in the answer section.
             Specifically, it can reject address (A or AAAA) records if
             the corresponding IPv4 or IPv6 addresses match the given
             <code class="varname">address_match_list</code> of the
             <span><strong class="command">deny-answer-addresses</strong></span> option.
             It can also reject CNAME or DNAME records if the "alias"
             name (i.e., the CNAME alias or the substituted query name
             due to DNAME) matches the
             given <code class="varname">namelist</code> of the
             <span><strong class="command">deny-answer-aliases</strong></span> option, where
             "match" means the alias name is a subdomain of one of
             the <code class="varname">name_list</code> elements.
             If the optional <code class="varname">namelist</code> is specified
             with <span><strong class="command">except-from</strong></span>, records whose query name
             matches the list will be accepted regardless of the filter
             setting.
             Likewise, if the alias name is a subdomain of the
             corresponding zone, the <span><strong class="command">deny-answer-aliases</strong></span>
             filter will not apply;
             for example, even if "example.com" is specified for
             <span><strong class="command">deny-answer-aliases</strong></span>,
           </p>
 <pre class="programlisting">www.example.com. CNAME xxx.example.com.</pre>
 <p>
             returned by an "example.com" server will be accepted.
           </p>
 <p>
             In the <code class="varname">address_match_list</code> of the
             <span><strong class="command">deny-answer-addresses</strong></span> option, only
             <code class="varname">ip_addr</code>
             and <code class="varname">ip_prefix</code>
             are meaningful;
             any <code class="varname">key_id</code> will be silently ignored.
           </p>
 <p>
             If a response message is rejected due to the filtering,
             the entire message is discarded without being cached, and
             a SERVFAIL error will be returned to the client.
           </p>
 <p>
             This filtering is intended to prevent "DNS rebinding attacks," in
             which an attacker, in response to a query for a domain name the
             attacker controls, returns an IP address within your own network or
             an alias name within your own domain.
             A naive web browser or script could then serve as an
             unintended proxy, allowing the attacker
             to get access to an internal node of your local network
             that couldn't be externally accessed otherwise.
             See the paper available at
             <a href="http://portal.acm.org/citation.cfm?id=1315245.1315298" target="_top">
             http://portal.acm.org/citation.cfm?id=1315245.1315298
             </a>
             for more details about the attacks.
           </p>
 <p>
             For example, if you own a domain named "example.net" and
             your internal network uses an IPv4 prefix 192.0.2.0/24,
             you might specify the following rules:
           </p>
 <pre class="programlisting">deny-answer-addresses { 192.0.2.0/24; } except-from { "example.net"; };
 deny-answer-aliases { "example.net"; };
 </pre>
 <p>
             If an external attacker lets a web browser in your local
             network look up an IPv4 address of "attacker.example.com",
             the attacker's DNS server would return a response like this:
           </p>
 <pre class="programlisting">attacker.example.com. A 192.0.2.1</pre>
 <p>
             in the answer section.
             Since the rdata of this record (the IPv4 address) matches
             the specified prefix 192.0.2.0/24, this response will be
             ignored.
           </p>
 <p>
             On the other hand, if the browser looks up a legitimate
             internal web server "www.example.net" and the
             following response is returned to
             the <acronym class="acronym">BIND</acronym> 9 server
           </p>
 <pre class="programlisting">www.example.net. A 192.0.2.2</pre>
 <p>
             it will be accepted since the owner name "www.example.net"
             matches the <span><strong class="command">except-from</strong></span> element,
             "example.net".
           </p>
 <p>
             Note that this is not really an attack on the DNS per se.
             In fact, there is nothing wrong for an "external" name to
             be mapped to your "internal" IP address or domain name
             from the DNS point of view.
             It might actually be provided for a legitimate purpose,
             such as for debugging.
             As long as the mapping is provided by the correct owner,
             it is not possible or does not make sense to detect
             whether the intent of the mapping is legitimate or not
             within the DNS.
             The "rebinding" attack must primarily be protected at the
             application that uses the DNS.
             For a large site, however, it may be difficult to protect
             all possible applications at once.
             This filtering feature is provided only to help such an
             operational environment;
             it is generally discouraged to turn it on unless you are
             very sure you have no other choice and the attack is a
             real threat for your applications.
           </p>
 <p>
             Care should be particularly taken if you want to use this
             option for addresses within 127.0.0.0/8.
             These addresses are obviously "internal", but many
             applications conventionally rely on a DNS mapping from
             some name to such an address.
             Filtering out DNS records containing this address
             spuriously can break such applications.
           </p>
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="id2588765"></a>Response Policy Zone (RPZ) Rewriting</h4></div></div></div>
 <p>
             <acronym class="acronym">BIND</acronym> 9 includes a limited
             mechanism to modify DNS responses for requests
             analogous to email anti-spam DNS blacklists.
             Responses can be changed to deny the existence of domains (NXDOMAIN),
             deny the existence of IP addresses for domains (NODATA),
             or contain other IP addresses or data.
           </p>
 <p>
             Response policy zones are named in the
             <span><strong class="command">response-policy</strong></span> option for the view or among the
             global options if there is no response-policy option for the view.
             RPZs are ordinary DNS zones containing RRsets
             that can be queried normally if allowed.
             It is usually best to restrict those queries with something like
             <span><strong class="command">allow-query { localhost; };</strong></span>.
           </p>
 <p>
             Four policy triggers are encoded in RPZ records, QNAME, IP, NSIP,
             and NSDNAME.
             QNAME RPZ records triggered by query names of requests and targets
             of CNAME records resolved to generate the response.
             The owner name of a QNAME RPZ record is the query name relativized
             to the RPZ.
           </p>
 <p>
             The second kind of RPZ trigger is an IP address in an A and AAAA
             record in the ANSWER section of a response.
             IP address triggers are encoded in records that have owner names
             that are subdomains of <strong class="userinput"><code>rpz-ip</code></strong> relativized
             to the RPZ origin name and encode an IP address or address block.
             IPv4 trigger addresses are represented as
             <strong class="userinput"><code>prefixlength.B4.B3.B2.B1.rpz-ip</code></strong>.
             The prefix length must be between 1 and 32.
             All four bytes, B4, B3, B2, and B1, must be present.
             B4 is the decimal value of the least significant byte of the
             IPv4 address as in IN-ADDR.ARPA.
             IPv6 addresses are encoded in a format similar to the standard
             IPv6 text representation,
             <strong class="userinput"><code>prefixlength.W8.W7.W6.W5.W4.W3.W2.W1.rpz-ip</code></strong>.
             Each of W8,...,W1 is a one to four digit hexadecimal number
             representing 16 bits of the IPv6 address as in the standard text
             representation of IPv6 addresses, but reversed as in IN-ADDR.ARPA.
             All 8 words must be present except when consecutive
             zero words are replaced with <strong class="userinput"><code>.zz.</code></strong>
             analogous to double colons (::) in standard IPv6 text encodings.
             The prefix length must be between 1 and 128.
           </p>
 <p>
             NSDNAME triggers match names of authoritative servers
             for the query name, a parent of the query name, a CNAME for
             query name, or a parent of a CNAME.
             They are encoded as subdomains of
             <strong class="userinput"><code>rpz-nsdomain</code></strong> relativized
             to the RPZ origin name.
             NSIP triggers match IP addresses in A and
             AAAA RRsets for domains that can be checked against NSDNAME
             policy records.
             NSIP triggers are encoded like IP triggers except as subdomains of
             <strong class="userinput"><code>rpz-nsip</code></strong>.
             NSDNAME and NSIP triggers are checked only for names with at
             least <span><strong class="command">min-ns-dots</strong></span> dots.
             The default value of <span><strong class="command">min-ns-dots</strong></span> is 1 to
             exclude top level domains.
           </p>
 <p>
             The query response is checked against all RPZs, so
             two or more policy records can be triggered by a response.
             Because DNS responses can be rewritten according to at most one
             policy record, a single record encoding an action (other than
             <span><strong class="command">DISABLED</strong></span> actions) must be chosen.
             Triggers or the records that encode them are chosen in
             the following order:
             </p>
 <div class="itemizedlist"><ul type="disc">
 <li>Choose the triggered record in the zone that appears
                 first in the response-policy option.
               </li>
 <li>Prefer QNAME to IP to NSDNAME to NSIP triggers
                 in a single zone.
               </li>
 <li>Among NSDNAME triggers, prefer the
                 trigger that matches the smallest name under the DNSSEC ordering.
               </li>
 <li>Among IP or NSIP triggers, prefer the trigger
                 with the longest prefix.
               </li>
 <li>Among triggers with the same prefix length,
                 prefer the IP or NSIP trigger that matches
                 the smallest IP address.
               </li>
 </ul></div>
 <p>
           </p>
 <p>
             When the processing of a response is restarted to resolve
             DNAME or CNAME records and a policy record set has
             not been triggered,
             all RPZs are again consulted for the DNAME or CNAME names
             and addresses.
           </p>
 <p>
             RPZ record sets are sets of any types of DNS record except
             DNAME or DNSSEC that encode actions or responses to queries.
             </p>
 <div class="itemizedlist"><ul type="disc">
 <li>The <span><strong class="command">NXDOMAIN</strong></span> response is encoded
                 by a CNAME whose target is the root domain (.)
               </li>
 <li>A CNAME whose target is the wildcard top-level
                 domain (*.) specifies the <span><strong class="command">NODATA</strong></span> action,
                 which rewrites the response to NODATA or ANCOUNT=1.
               </li>
 <li>The <span><strong class="command">Local Data</strong></span> action is
                 represented by a set ordinary DNS records that are used
                 to answer queries.  Queries for record types not the
                 set are answered with NODATA.
 
                 A special form of local data is a CNAME whose target is a
                 wildcard such as *.example.com.
                 It is used as if were an ordinary CNAME after the astrisk (*)
                 has been replaced with the query name.
                 The purpose for this special form is query logging in the
                 walled garden's authority DNS server.
               </li>
 <li>The <span><strong class="command">PASSTHRU</strong></span> policy is specified
                 by a CNAME whose target is <span><strong class="command">rpz-passthru.</strong></span>
                 It causes the response to not be rewritten
                 and is most often used to "poke holes" in policies for
                 CIDR blocks.
                 (A CNAME whose target is the variable part of its owner name
                 is an obsolete specification of the PASSTHRU policy.)
               </li>
 </ul></div>
 <p>
           </p>
 <p>
             The actions specified in an RPZ can be overridden with a
             <span><strong class="command">policy</strong></span> clause in the
             <span><strong class="command">response-policy</strong></span> option.
             An organization using an RPZ provided by another organization might
             use this mechanism to redirect domains to its own walled garden.
             </p>
 <div class="itemizedlist"><ul type="disc">
 <li>
 <span><strong class="command">GIVEN</strong></span> says "do not override but
                 perform the action specified in the zone."
               </li>
 <li>
 <span><strong class="command">DISABLED</strong></span> causes policy records to do
                 nothing but log what they might have done.
                 The response to the DNS query will be written according to
                 any triggered policy records that are not disabled.
                 Disabled policy zones should appear first,
                 because they will often not be logged
                 if a higher precedence trigger is found first.
               </li>
 <li>
 <span><strong class="command">PASSTHRU</strong></span> causes all policy records
                 to act as if they were CNAME records with targets the variable
                 part of their owner name.  They protect the response from
                 being changed.
               </li>
 <li>
 <span><strong class="command">NXDOMAIN</strong></span> causes all RPZ records
                 to specify NXDOMAIN policies.
               </li>
 <li>
 <span><strong class="command">NODATA</strong></span> overrides with the
                 NODATA policy
               </li>
 <li>
 <span><strong class="command">CNAME domain</strong></span> causes all RPZ
                 policy records to act as if they were "cname domain" records.
               </li>
 </ul></div>
 <p>
           </p>
 <p>
             By default, the actions encoded in an RPZ are applied
             only to queries that ask for recursion (RD=1).
             That default can be changed for a single RPZ or all RPZs in a view
             with a <span><strong class="command">recursive-only no</strong></span> clause.
             This feature is useful for serving the same zone files
             both inside and outside an RFC 1918 cloud and using RPZ to
             delete answers that would otherwise contain RFC 1918 values
             on the externally visible name server or view.
           </p>
 <p>
             Also by default, RPZ actions are applied only to DNS requests that
             either do not request DNSSEC metadata (DO=0) or when no DNSSEC
             records are available for request name in the original zone (not
             the response policy zone).
             This default can be changed for all RPZs in a view with a
             <span><strong class="command">break-dnssec yes</strong></span> clause.
             In that case, RPZ actions are applied regardless of DNSSEC.
             The name of the clause option reflects the fact that results
             rewritten by RPZ actions cannot verify.
           </p>
 <p>
             The TTL of a record modified by RPZ policies is set from the
             TTL of the relevant record in policy zone.  It is then limited
             to a maximum value.
             The <span><strong class="command">max-policy-ttl</strong></span> clause changes that
             maximum from its default of 5.
           </p>
 <p>
             For example, you might use this option statement
           </p>
 <pre class="programlisting">    response-policy { zone "badlist"; };</pre>
 <p>
             and this zone statement
           </p>
 <pre class="programlisting">    zone "badlist" {type master; file "master/badlist"; allow-query {none;}; };</pre>
 <p>
             with this zone file
           </p>
 <pre class="programlisting">$TTL 1H
 @                       SOA LOCALHOST. named-mgr.example.com (1 1h 15m 30d 2h)
                         NS  LOCALHOST.
 
 ; QNAME policy records.  There are no periods (.) after the owner names.
 nxdomain.domain.com     CNAME   .               ; NXDOMAIN policy
 nodata.domain.com       CNAME   *.              ; NODATA policy
 bad.domain.com          A       10.0.0.1        ; redirect to a walled garden
                         AAAA    2001:2::1
 
 ; do not rewrite (PASSTHRU) OK.DOMAIN.COM
 ok.domain.com           CNAME   rpz-passthru.
 
 bzone.domain.com        CNAME   garden.example.com.
 
 ; redirect x.bzone.domain.com to x.bzone.domain.com.garden.example.com
 *.bzone.domain.com      CNAME   *.garden.example.com.
 
 
 ; IP policy records that rewrite all answers for 127/8 except 127.0.0.1
 8.0.0.0.127.rpz-ip      CNAME   .
 32.1.0.0.127.rpz-ip     CNAME   rpz-passthru.
 
 ; NSDNAME and NSIP policy records
 ns.domain.com.rpz-nsdname   CNAME   .
 48.zz.2.2001.rpz-nsip       CNAME   .
 </pre>
 <p>
             RPZ can affect server performance.
             Each configured response policy zone requires the server to
             perform one to four additional database lookups before a
             query can be answered.
             For example, a DNS server with four policy zones, each with all
             four kinds of response triggers, QNAME, IP, NSIP, and
             NSDNAME, requires a total of 17 times as many database
             lookups as a similar DNS server with no response policy zones.
             A <acronym class="acronym">BIND9</acronym> server with adequate memory and one
             response policy zone with QNAME and IP triggers might achieve a
             maximum queries-per-second rate about 20% lower.
             A server with four response policy zones with QNAME and IP
             triggers might have a maximum QPS rate about 50% lower.
           </p>
 <p>
             Responses rewritten by RPZ are counted in the
             <span><strong class="command">RPZRewrites</strong></span> statistics.
           </p>
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="id2589264"></a>Response Rate Limiting</h4></div></div></div>
 <p>
             This feature is only available when <acronym class="acronym">BIND</acronym> 9
             is compiled with the <strong class="userinput"><code>--enable-rrl</code></strong>
             option on the "configure" command line.
           </p>
 <p>
             Excessive almost identical UDP <span class="emphasis"><em>responses</em></span>
             can be controlled by configuring a
             <span><strong class="command">rate-limit</strong></span> clause in an
             <span><strong class="command">options</strong></span> or <span><strong class="command">view</strong></span> statement.
             This mechanism keeps authoritative BIND 9 from being used
             in amplifying reflection denial of service (DoS) attacks.
             Short truncated (TC=1) responses can be sent to provide
             rate-limited responses to legitimate clients within
             a range of forged, attacked IP addresses.
             Legitimate clients react to dropped or truncated response
             by retrying with UDP or with TCP respectively.
           </p>
 <p>
             This mechanism is intended for authoritative DNS servers.
             It can be used on recursive servers but can slow
             applications such as SMTP servers (mail receivers) and
             HTTP clients (web browsers) that repeatedly request the
             same domains.
             When possible, closing "open" recursive servers is better.
           </p>
 <p>
             Response rate limiting uses a "credit" or "token bucket" scheme.
             Each combination of identical response and client
             has a conceptual account that earns a specified number
             of credits every second.
             A prospective response debits its account by one.
             Responses are dropped or truncated
             while the account is negative.
             Responses are tracked within a rolling window of time
             which defaults to 15 seconds, but can be configured with
             the <span><strong class="command">window</strong></span> option to any value from
             1 to 3600 seconds (1 hour).
             The account cannot become more positive than
             the per-second limit
             or more negative than <span><strong class="command">window</strong></span>
             times the per-second limit.
             When the specified number of credits for a class of
             responses is set to 0, those responses are not rate limited.
           </p>
 <p>
             The notions of "identical response" and "DNS client"
             for rate limiting are not simplistic.
             All responses to an address block are counted as if to a
             single client.
             The prefix lengths of addresses blocks are
             specified with <span><strong class="command">ipv4-prefix-length</strong></span> (default 24)
             and <span><strong class="command">ipv6-prefix-length</strong></span> (default 56).
           </p>
 <p>
             All non-empty responses for a valid domain name (qname)
             and record type (qtype) are identical and have a limit specified
             with <span><strong class="command">responses-per-second</strong></span>
             (default 0 or no limit).
             All empty (NODATA) responses for a valid domain,
             regardless of query type, are identical.
             Responses in the NODATA class are limited by
             <span><strong class="command">nodata-per-second</strong></span>
             (default <span><strong class="command">responses-per-second</strong></span>).
             Requests for any and all undefined subdomains of a given
             valid domain result in NXDOMAIN errors, and are identical
             regardless of query type.
             They are limited by <span><strong class="command">nxdomain-per-second</strong></span>
             (default <span><strong class="command">responses-per-second</strong></span>).
             This controls some attacks using random names, but
             can be relaxed or turned off (set to 0)
             on servers that expect many legitimate
             NXDOMAIN responses, such as from anti-spam blacklists.
             Referrals or delegations to the server of a given
             domain are identical and are limited by
             <span><strong class="command">referrals-per-second</strong></span>
             (default <span><strong class="command">responses-per-second</strong></span>).
           </p>
 <p>
             Responses generated from local wildcards are counted and limited
             as if they were for the parent domain name.
             This controls flooding using random.wild.example.com.
           </p>
 <p>
             All requests that result in DNS errors other
             than NXDOMAIN, such as SERVFAIL and FORMERR, are identical
             regardless of requested name (qname) or record type (qtype).
             This controls attacks using invalid requests or distant,
             broken authoritative servers.
             By default the limit on errors is the same as the
             <span><strong class="command">responses-per-second</strong></span> value,
             but it can be set separately with
             <span><strong class="command">errors-per-second</strong></span>.
           </p>
 <p>
             Many attacks using DNS involve UDP requests with forged source
             addresses.
             Rate limiting prevents the use of BIND 9 to flood a network
             with responses to requests with forged source addresses,
             but could let a third party block responses to legitimate requests.
             There is a mechanism that can answer some legitimate
             requests from a client whose address is being forged in a flood.
             Setting <span><strong class="command">slip</strong></span> to 2 (its default) causes every
             other UDP request to be answered with a small truncated (TC=1)
             response.
             The small size and reduced frequency, and so lack of
             amplification, of "slipped" responses make them unattractive
             for reflection DoS attacks.
             <span><strong class="command">slip</strong></span> must be between 0 and 10.
             A value of 0 does not "slip":
             no truncated responses are sent due to rate limiting,
             all responses are dropped.
             A value of 1 causes every response to slip;
             values between 2 and 10 cause every n'th response to slip.
             Some error responses including REFUSED and SERVFAIL
             cannot be replaced with truncated responses and are instead
             leaked at the <span><strong class="command">slip</strong></span> rate.
           </p>
 <p>
             (NOTE: Dropped responses from an authoritative server may
             reduce the difficulty of a third party successfully forging
             a response to a recursive resolver. The best security
             against forged responses is for authoritative operators
             to sign their zones using DNSSEC and for resolver operators
             to validate the responses. When this is not an option,
             operators who are more concerned with response integrity
             than with flood mitigation may consider setting
             <span><strong class="command">slip</strong></span> to 1, causing all rate-limited
             responses to be truncated rather than dropped.  This reduces
             the effectiveness of rate-limiting against reflection attacks.)
           </p>
 <p>
             When the approximate query per second rate exceeds
             the <span><strong class="command">qps-scale</strong></span> value,
             then the <span><strong class="command">responses-per-second</strong></span>,
             <span><strong class="command">errors-per-second</strong></span>,
             <span><strong class="command">nxdomains-per-second</strong></span> and
             <span><strong class="command">all-per-second</strong></span> values are reduced by the
             ratio of the current rate to the <span><strong class="command">qps-scale</strong></span> value.
             This feature can tighten defenses during attacks.
             For example, with
             <span><strong class="command">qps-scale 250; responses-per-second 20;</strong></span> and
             a total query rate of 1000 queries/second for all queries from
             all DNS clients including via TCP,
             then the effective responses/second limit changes to
             (250/1000)*20 or 5.
             Responses sent via TCP are not limited
             but are counted to compute the query per second rate.
           </p>
 <p>
             Communities of DNS clients can be given their own parameters or no
             rate limiting by putting
             <span><strong class="command">rate-limit</strong></span> statements in <span><strong class="command">view</strong></span>
             statements instead of the global <span><strong class="command">option</strong></span>
             statement.
             A <span><strong class="command">rate-limit</strong></span> statement in a view replaces,
             rather than supplementing, a <span><strong class="command">rate-limit</strong></span>
             statement among the main options.
             DNS clients within a view can be exempted from rate limits
             with the <span><strong class="command">exempt-clients</strong></span> clause.
           </p>
 <p>
             UDP responses of all kinds can be limited with the
             <span><strong class="command">all-per-second</strong></span> phrase.
             This rate limiting is unlike the rate limiting provided by
             <span><strong class="command">responses-per-second</strong></span>,
             <span><strong class="command">errors-per-second</strong></span>, and
             <span><strong class="command">nxdomains-per-second</strong></span> on a DNS server
             which are often invisible to the victim of a DNS reflection attack.
             Unless the forged requests of the attack are the same as the
             legitimate requests of the victim, the victim's requests are
             not affected.
             Responses affected by an <span><strong class="command">all-per-second</strong></span> limit
             are always dropped; the <span><strong class="command">slip</strong></span> value has no
             effect.
             An <span><strong class="command">all-per-second</strong></span> limit should be
             at least 4 times as large as the other limits,
             because single DNS clients often send bursts of legitimate
             requests.
             For example, the receipt of a single mail message can prompt
             requests from an SMTP server for NS, PTR, A, and AAAA records
             as the incoming SMTP/TCP/IP connection is considered.
             The SMTP server can need additional NS, A, AAAA, MX, TXT, and SPF
             records as it considers the STMP <span><strong class="command">Mail From</strong></span>
             command.
             Web browsers often repeatedly resolve the same names that
             are repeated in HTML &lt;IMG&gt; tags in a page.
             <span><strong class="command">All-per-second</strong></span> is similar to the
             rate limiting offered by firewalls but often inferior.
             Attacks that justify ignoring the
             contents of DNS responses are likely to be attacks on the
             DNS server itself.
             They usually should be discarded before the DNS server
             spends resources making TCP connections or parsing DNS requests,
             but that rate limiting must be done before the
             DNS server sees the requests.
           </p>
 <p>
             The maximum size of the table used to track requests and
             rate limit responses is set with <span><strong class="command">max-table-size</strong></span>.
             Each entry in the table is between 40 and 80 bytes.
             The table needs approximately as many entries as the number
             of requests received per second.
             The default is 20,000.
             To reduce the cold start of growing the table,
             <span><strong class="command">min-table-size</strong></span> (default 500)
             can set the minimum table size.
             Enable <span><strong class="command">rate-limit</strong></span> category logging to monitor
             expansions of the table and inform
             choices for the initial and maximum table size.
           </p>
 <p>
             Use <span><strong class="command">log-only yes</strong></span> to test rate limiting parameters
             without actually dropping any requests.
           </p>
 <p>
             Responses dropped by rate limits are included in the
             <span><strong class="command">RateDropped</strong></span> and <span><strong class="command">QryDropped</strong></span>
             statistics.
             Responses that truncated by rate limits are included in
             <span><strong class="command">RateSlipped</strong></span> and <span><strong class="command">RespTruncated</strong></span>.
           </p>
 </div>
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="server_statement_grammar"></a><span><strong class="command">server</strong></span> Statement Grammar</h3></div></div></div>
 <pre class="programlisting"><span><strong class="command">server</strong></span> <em class="replaceable"><code>ip_addr[/prefixlen]</code></em> {
     [<span class="optional"> bogus <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
     [<span class="optional"> provide-ixfr <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
     [<span class="optional"> request-ixfr <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
     [<span class="optional"> request-nsid <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
     [<span class="optional"> edns <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
     [<span class="optional"> edns-udp-size <em class="replaceable"><code>number</code></em> ; </span>]
     [<span class="optional"> max-udp-size <em class="replaceable"><code>number</code></em> ; </span>]
     [<span class="optional"> transfers <em class="replaceable"><code>number</code></em> ; </span>]
     [<span class="optional"> transfer-format <em class="replaceable"><code>( one-answer | many-answers )</code></em> ; ]</span>]
     [<span class="optional"> keys <em class="replaceable"><code>{ string ; [<span class="optional"> string ; [<span class="optional">...</span>]</span>] }</code></em> ; </span>]
     [<span class="optional"> transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
     [<span class="optional"> transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
     [<span class="optional"> notify-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
     [<span class="optional"> notify-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
     [<span class="optional"> query-source [<span class="optional"> address ( <em class="replaceable"><code>ip_addr</code></em> | <em class="replaceable"><code>*</code></em> ) </span>]
                   [<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>]; </span>]
     [<span class="optional"> query-source-v6 [<span class="optional"> address ( <em class="replaceable"><code>ip_addr</code></em> | <em class="replaceable"><code>*</code></em> ) </span>]
                      [<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>]; </span>]
     [<span class="optional"> use-queryport-pool <em class="replaceable"><code>yes_or_no</code></em>; </span>]
     [<span class="optional"> queryport-pool-ports <em class="replaceable"><code>number</code></em>; </span>]
     [<span class="optional"> queryport-pool-updateinterval <em class="replaceable"><code>number</code></em>; </span>]
 };
 </pre>
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="server_statement_definition_and_usage"></a><span><strong class="command">server</strong></span> Statement Definition and
             Usage</h3></div></div></div>
 <p>
             The <span><strong class="command">server</strong></span> statement defines
             characteristics
             to be associated with a remote name server.  If a prefix length is
             specified, then a range of servers is covered.  Only the most
             specific
             server clause applies regardless of the order in
             <code class="filename">named.conf</code>.
           </p>
 <p>
             The <span><strong class="command">server</strong></span> statement can occur at
             the top level of the
             configuration file or inside a <span><strong class="command">view</strong></span>
             statement.
             If a <span><strong class="command">view</strong></span> statement contains
             one or more <span><strong class="command">server</strong></span> statements, only
             those
             apply to the view and any top-level ones are ignored.
             If a view contains no <span><strong class="command">server</strong></span>
             statements,
             any top-level <span><strong class="command">server</strong></span> statements are
             used as
             defaults.
           </p>
 <p>
             If you discover that a remote server is giving out bad data,
             marking it as bogus will prevent further queries to it. The
             default
             value of <span><strong class="command">bogus</strong></span> is <span><strong class="command">no</strong></span>.
           </p>
 <p>
             The <span><strong class="command">provide-ixfr</strong></span> clause determines
             whether
             the local server, acting as master, will respond with an
             incremental
             zone transfer when the given remote server, a slave, requests it.
             If set to <span><strong class="command">yes</strong></span>, incremental transfer
             will be provided
             whenever possible. If set to <span><strong class="command">no</strong></span>,
             all transfers
             to the remote server will be non-incremental. If not set, the
             value
             of the <span><strong class="command">provide-ixfr</strong></span> option in the
             view or
             global options block is used as a default.
           </p>
 <p>
             The <span><strong class="command">request-ixfr</strong></span> clause determines
             whether
             the local server, acting as a slave, will request incremental zone
             transfers from the given remote server, a master. If not set, the
             value of the <span><strong class="command">request-ixfr</strong></span> option in
             the view or global options block is used as a default. It may
             also be set in the zone block and, if set there, it will
             override the global or view setting for that zone.
           </p>
 <p>
             IXFR requests to servers that do not support IXFR will
             automatically
             fall back to AXFR.  Therefore, there is no need to manually list
             which servers support IXFR and which ones do not; the global
             default
             of <span><strong class="command">yes</strong></span> should always work.
             The purpose of the <span><strong class="command">provide-ixfr</strong></span> and
             <span><strong class="command">request-ixfr</strong></span> clauses is
             to make it possible to disable the use of IXFR even when both
             master
             and slave claim to support it, for example if one of the servers
             is buggy and crashes or corrupts data when IXFR is used.
           </p>
 <p>
             The <span><strong class="command">edns</strong></span> clause determines whether
             the local server will attempt to use EDNS when communicating
             with the remote server.  The default is <span><strong class="command">yes</strong></span>.
           </p>
 <p>
             The <span><strong class="command">edns-udp-size</strong></span> option sets the EDNS UDP size
             that is advertised by <span><strong class="command">named</strong></span> when querying the remote server.
             Valid values are 512 to 4096 bytes (values outside this range will be
             silently adjusted).  This option is useful when you wish to
             advertises a different value to this server than the value you
             advertise globally, for example, when there is a firewall at the
             remote site that is blocking large replies.
           </p>
 <p>
             The <span><strong class="command">max-udp-size</strong></span> option sets the
             maximum EDNS UDP message size <span><strong class="command">named</strong></span> will send.  Valid
             values are 512 to 4096 bytes (values outside this range will
             be silently adjusted).  This option is useful when you
             know that there is a firewall that is blocking large
             replies from <span><strong class="command">named</strong></span>.
           </p>
 <p>
             The server supports two zone transfer methods. The first, <span><strong class="command">one-answer</strong></span>,
             uses one DNS message per resource record transferred. <span><strong class="command">many-answers</strong></span> packs
             as many resource records as possible into a message. <span><strong class="command">many-answers</strong></span> is
             more efficient, but is only known to be understood by <acronym class="acronym">BIND</acronym> 9, <acronym class="acronym">BIND</acronym>
             8.x, and patched versions of <acronym class="acronym">BIND</acronym>
             4.9.5. You can specify which method
             to use for a server with the <span><strong class="command">transfer-format</strong></span> option.
             If <span><strong class="command">transfer-format</strong></span> is not
             specified, the <span><strong class="command">transfer-format</strong></span>
             specified
             by the <span><strong class="command">options</strong></span> statement will be
             used.
           </p>
 <p><span><strong class="command">transfers</strong></span>
             is used to limit the number of concurrent inbound zone
             transfers from the specified server. If no
             <span><strong class="command">transfers</strong></span> clause is specified, the
             limit is set according to the
             <span><strong class="command">transfers-per-ns</strong></span> option.
           </p>
 <p>
             The <span><strong class="command">keys</strong></span> clause identifies a
             <span><strong class="command">key_id</strong></span> defined by the <span><strong class="command">key</strong></span> statement,
             to be used for transaction security (TSIG, <a href="Bv9ARM.ch04.html#tsig" title="TSIG">the section called &#8220;TSIG&#8221;</a>)
             when talking to the remote server.
             When a request is sent to the remote server, a request signature
             will be generated using the key specified here and appended to the
             message. A request originating from the remote server is not
             required
             to be signed by this key.
           </p>
 <p>
             Although the grammar of the <span><strong class="command">keys</strong></span>
             clause
             allows for multiple keys, only a single key per server is
             currently
             supported.
           </p>
 <p>
             The <span><strong class="command">transfer-source</strong></span> and
             <span><strong class="command">transfer-source-v6</strong></span> clauses specify
             the IPv4 and IPv6 source
             address to be used for zone transfer with the remote server,
             respectively.
             For an IPv4 remote server, only <span><strong class="command">transfer-source</strong></span> can
             be specified.
             Similarly, for an IPv6 remote server, only
             <span><strong class="command">transfer-source-v6</strong></span> can be
             specified.
             For more details, see the description of
             <span><strong class="command">transfer-source</strong></span> and
             <span><strong class="command">transfer-source-v6</strong></span> in
             <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.
           </p>
 <p>
             The <span><strong class="command">notify-source</strong></span> and
             <span><strong class="command">notify-source-v6</strong></span> clauses specify the
             IPv4 and IPv6 source address to be used for notify
             messages sent to remote servers, respectively.  For an
             IPv4 remote server, only <span><strong class="command">notify-source</strong></span>
             can be specified.  Similarly, for an IPv6 remote server,
             only <span><strong class="command">notify-source-v6</strong></span> can be specified.
           </p>
 <p>
             The <span><strong class="command">query-source</strong></span> and
             <span><strong class="command">query-source-v6</strong></span> clauses specify the
             IPv4 and IPv6 source address to be used for queries
             sent to remote servers, respectively.  For an IPv4
             remote server, only <span><strong class="command">query-source</strong></span> can
             be specified.  Similarly, for an IPv6 remote server,
             only <span><strong class="command">query-source-v6</strong></span> can be specified.
           </p>
 <p>
             The <span><strong class="command">request-nsid</strong></span> clause determines
             whether the local server will add a NSID EDNS option
             to requests sent to the server.  This overrides
             <span><strong class="command">request-nsid</strong></span> set at the view or
             option level. 
           </p>
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="statschannels"></a><span><strong class="command">statistics-channels</strong></span> Statement Grammar</h3></div></div></div>
 <pre class="programlisting"><span><strong class="command">statistics-channels</strong></span> {
    [ inet ( ip_addr | * ) [ port ip_port ]
    [ allow { <em class="replaceable"><code> address_match_list </code></em> } ]; ]
    [ inet ...; ]
 };
 </pre>
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="id2590489"></a><span><strong class="command">statistics-channels</strong></span> Statement Definition and
             Usage</h3></div></div></div>
 <p>
           The <span><strong class="command">statistics-channels</strong></span> statement
           declares communication channels to be used by system
           administrators to get access to statistics information of
           the name server.
         </p>
 <p>
           This statement intends to be flexible to support multiple
           communication protocols in the future, but currently only
           HTTP access is supported.
           It requires that BIND 9 be compiled with libxml2;
           the <span><strong class="command">statistics-channels</strong></span> statement is
           still accepted even if it is built without the library,
           but any HTTP access will fail with an error.
         </p>
 <p>
           An <span><strong class="command">inet</strong></span> control channel is a TCP socket
           listening at the specified <span><strong class="command">ip_port</strong></span> on the
           specified <span><strong class="command">ip_addr</strong></span>, which can be an IPv4 or IPv6
           address.  An <span><strong class="command">ip_addr</strong></span> of <code class="literal">*</code> (asterisk) is
           interpreted as the IPv4 wildcard address; connections will be
           accepted on any of the system's IPv4 addresses.
           To listen on the IPv6 wildcard address,
           use an <span><strong class="command">ip_addr</strong></span> of <code class="literal">::</code>.
         </p>
 <p>
           If no port is specified, port 80 is used for HTTP channels.
           The asterisk "<code class="literal">*</code>" cannot be used for
           <span><strong class="command">ip_port</strong></span>.
         </p>
 <p>
           The attempt of opening a statistics channel is
           restricted by the optional <span><strong class="command">allow</strong></span> clause.
           Connections to the statistics channel are permitted based on the
           <span><strong class="command">address_match_list</strong></span>.
           If no <span><strong class="command">allow</strong></span> clause is present,
           <span><strong class="command">named</strong></span> accepts connection
           attempts from any address; since the statistics may
           contain sensitive internal information, it is highly
           recommended to restrict the source of connection requests
           appropriately.
         </p>
 <p>
           If no <span><strong class="command">statistics-channels</strong></span> statement is present,
           <span><strong class="command">named</strong></span> will not open any communication channels.
         </p>
 <p>
           If the statistics channel is configured to listen on 127.0.0.1
           port 8888, then the statistics are accessible in XML format at
           <a href="http://127.0.0.1:8888/" target="_top">http://127.0.0.1:8888/</a> or
           <a href="http://127.0.0.1:8888/xml" target="_top">http://127.0.0.1:8888/xml</a>. A CSS file is
           included which can format the XML statistics into tables 
           when viewed with a stylesheet-capable browser.  When
           <acronym class="acronym">BIND</acronym> 9 is configured with --enable-newstats, 
           a new XML schema is used (version 3) which adds additional
           zone statistics and uses a flatter tree for more efficient
           parsing.  The stylesheet included uses the Google Charts API
           to render data into into charts and graphs when using a
           javascript-capable browser.
         </p>
 <p>
           Applications that depend on a particular XML schema
           can request 
           <a href="http://127.0.0.1:8888/xml/v2" target="_top">http://127.0.0.1:8888/xml/v2</a> for version 2
           of the statistics XML schema or 
           <a href="http://127.0.0.1:8888/xml/v3" target="_top">http://127.0.0.1:8888/xml/v3</a> for version 3.
           If the requested schema is supported by the server, then
           it will respond; if not, it will return a "page not found"
           error.
         </p>
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="trusted-keys"></a><span><strong class="command">trusted-keys</strong></span> Statement Grammar</h3></div></div></div>
 <pre class="programlisting"><span><strong class="command">trusted-keys</strong></span> {
     <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ;
     [<span class="optional"> <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ; [<span class="optional">...</span>]</span>]
 };
 </pre>
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="id2590796"></a><span><strong class="command">trusted-keys</strong></span> Statement Definition
             and Usage</h3></div></div></div>
 <p>
             The <span><strong class="command">trusted-keys</strong></span> statement defines
             DNSSEC security roots. DNSSEC is described in <a href="Bv9ARM.ch04.html#DNSSEC" title="DNSSEC">the section called &#8220;DNSSEC&#8221;</a>. A security root is defined when the
             public key for a non-authoritative zone is known, but
             cannot be securely obtained through DNS, either because
             it is the DNS root zone or because its parent zone is
             unsigned.  Once a key has been configured as a trusted
             key, it is treated as if it had been validated and
             proven secure. The resolver attempts DNSSEC validation
             on all DNS data in subdomains of a security root.
           </p>
 <p>
             All keys (and corresponding zones) listed in
             <span><strong class="command">trusted-keys</strong></span> are deemed to exist regardless
             of what parent zones say.  Similarly for all keys listed in
             <span><strong class="command">trusted-keys</strong></span> only those keys are
             used to validate the DNSKEY RRset.  The parent's DS RRset
             will not be used.
           </p>
 <p>
             The <span><strong class="command">trusted-keys</strong></span> statement can contain
             multiple key entries, each consisting of the key's
             domain name, flags, protocol, algorithm, and the Base-64
             representation of the key data.
             Spaces, tabs, newlines and carriage returns are ignored
             in the key data, so the configuration may be split up into
             multiple lines.
           </p>
 <p>
             <span><strong class="command">trusted-keys</strong></span> may be set at the top level
             of <code class="filename">named.conf</code> or within a view.  If it is
             set in both places, they are additive: keys defined at the top
             level are inherited by all views, but keys defined in a view
             are only used within that view.
           </p>
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="id2590843"></a><span><strong class="command">managed-keys</strong></span> Statement Grammar</h3></div></div></div>
 <pre class="programlisting"><span><strong class="command">managed-keys</strong></span> {
     <em class="replaceable"><code>name</code></em> initial-key <em class="replaceable"><code>flags</code></em> <em class="replaceable"><code>protocol</code></em> <em class="replaceable"><code>algorithm</code></em> <em class="replaceable"><code>key-data</code></em> ;
     [<span class="optional"> <em class="replaceable"><code>name</code></em> initial-key <em class="replaceable"><code>flags</code></em> <em class="replaceable"><code>protocol</code></em> <em class="replaceable"><code>algorithm</code></em> <em class="replaceable"><code>key-data</code></em> ; [<span class="optional">...</span>]</span>]
 };
 </pre>
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="managed-keys"></a><span><strong class="command">managed-keys</strong></span> Statement Definition
             and Usage</h3></div></div></div>
 <p>
             The <span><strong class="command">managed-keys</strong></span> statement, like 
             <span><strong class="command">trusted-keys</strong></span>, defines DNSSEC
             security roots.  The difference is that
             <span><strong class="command">managed-keys</strong></span> can be kept up to date
             automatically, without intervention from the resolver
             operator.
           </p>
 <p>
             Suppose, for example, that a zone's key-signing
             key was compromised, and the zone owner had to revoke and
             replace the key.  A resolver which had the old key in a
             <span><strong class="command">trusted-keys</strong></span> statement would be
             unable to validate this zone any longer; it would
             reply with a SERVFAIL response code.  This would
             continue until the resolver operator had updated the
             <span><strong class="command">trusted-keys</strong></span> statement with the new key.
           </p>
 <p>
             If, however, the zone were listed in a
             <span><strong class="command">managed-keys</strong></span> statement instead, then the
             zone owner could add a "stand-by" key to the zone in advance.
             <span><strong class="command">named</strong></span> would store the stand-by key, and
             when the original key was revoked, <span><strong class="command">named</strong></span>
             would be able to transition smoothly to the new key.  It would
             also recognize that the old key had been revoked, and cease
             using that key to validate answers, minimizing the damage that
             the compromised key could do.
           </p>
 <p>
             A <span><strong class="command">managed-keys</strong></span> statement contains a list of
             the keys to be managed, along with information about how the
             keys are to be initialized for the first time.  The only
             initialization method currently supported (as of
             <acronym class="acronym">BIND</acronym> 9.7.0) is <code class="literal">initial-key</code>.
             This means the <span><strong class="command">managed-keys</strong></span> statement must
             contain a copy of the initializing key.  (Future releases may
             allow keys to be initialized by other methods, eliminating this
             requirement.)
           </p>
 <p>
             Consequently, a <span><strong class="command">managed-keys</strong></span> statement
             appears similar to a <span><strong class="command">trusted-keys</strong></span>, differing
             in the presence of the second field, containing the keyword
             <code class="literal">initial-key</code>.  The difference is, whereas the
             keys listed in a <span><strong class="command">trusted-keys</strong></span> continue to be
             trusted until they are removed from
             <code class="filename">named.conf</code>, an initializing key listed 
             in a <span><strong class="command">managed-keys</strong></span> statement is only trusted
             <span class="emphasis"><em>once</em></span>: for as long as it takes to load the
             managed key database and start the RFC 5011 key maintenance
             process.
           </p>
 <p>
             The first time <span><strong class="command">named</strong></span> runs with a managed key
             configured in <code class="filename">named.conf</code>, it fetches the
             DNSKEY RRset directly from the zone apex, and validates it
             using the key specified in the <span><strong class="command">managed-keys</strong></span>
             statement.  If the DNSKEY RRset is validly signed, then it is
             used as the basis for a new managed keys database.
           </p>
 <p>
             From that point on, whenever <span><strong class="command">named</strong></span> runs, it
             sees the <span><strong class="command">managed-keys</strong></span> statement, checks to
             make sure RFC 5011 key maintenance has already been initialized
             for the specified domain, and if so, it simply moves on.  The
             key specified in the <span><strong class="command">managed-keys</strong></span> is not
             used to validate answers; it has been superseded by the key or
             keys stored in the managed keys database.
           </p>
 <p>
             The next time <span><strong class="command">named</strong></span> runs after a name
             has been <span class="emphasis"><em>removed</em></span> from the
             <span><strong class="command">managed-keys</strong></span> statement, the corresponding
             zone will be removed from the managed keys database,
             and RFC 5011 key maintenance will no longer be used for that
             domain.
           </p>
 <p>
             <span><strong class="command">named</strong></span> only maintains a single managed keys
             database; consequently, unlike <span><strong class="command">trusted-keys</strong></span>,
             <span><strong class="command">managed-keys</strong></span> may only be set at the top
             level of <code class="filename">named.conf</code>, not within a view.
           </p>
 <p>
             In the current implementation, the managed keys database is
             stored as a master-format zone file called
             <code class="filename">managed-keys.bind</code>.  When the key database
             is changed, the zone is updated.  As with any other dynamic
             zone, changes will be written into a journal file,
             <code class="filename">managed-keys.bind.jnl</code>.  They are committed
             to the master file as soon as possible afterward; in the case
             of the managed key database, this will usually occur within 30
             seconds.  So, whenever <span><strong class="command">named</strong></span> is using
             automatic key maintenance, those two files can be expected to
             exist in the working directory.  (For this reason among others,
             the working directory should be always be writable by
             <span><strong class="command">named</strong></span>.)
           </p>
 <p>
             If the <span><strong class="command">dnssec-validation</strong></span> option is
             set to <strong class="userinput"><code>auto</code></strong>, <span><strong class="command">named</strong></span>
             will automatically initialize a managed key for the
             root zone.  Similarly, if the <span><strong class="command">dnssec-lookaside</strong></span>
             option is set to <strong class="userinput"><code>auto</code></strong>,
             <span><strong class="command">named</strong></span> will automatically initialize
             a managed key for the zone <code class="literal">dlv.isc.org</code>.
             In both cases, the key that is used to initialize the key
             maintenance process is built into <span><strong class="command">named</strong></span>,
             and can be overridden from <span><strong class="command">bindkeys-file</strong></span>.
           </p>
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="view_statement_grammar"></a><span><strong class="command">view</strong></span> Statement Grammar</h3></div></div></div>
 <pre class="programlisting"><span><strong class="command">view</strong></span> <em class="replaceable"><code>view_name</code></em>
       [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
       match-clients { <em class="replaceable"><code>address_match_list</code></em> };
       match-destinations { <em class="replaceable"><code>address_match_list</code></em> };
       match-recursive-only <em class="replaceable"><code>yes_or_no</code></em> ;
       [<span class="optional"> <em class="replaceable"><code>view_option</code></em>; ...</span>]
       [<span class="optional"> <em class="replaceable"><code>zone_statement</code></em>; ...</span>]
 };
 </pre>
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="id2591278"></a><span><strong class="command">view</strong></span> Statement Definition and Usage</h3></div></div></div>
 <p>
             The <span><strong class="command">view</strong></span> statement is a powerful
             feature
             of <acronym class="acronym">BIND</acronym> 9 that lets a name server
             answer a DNS query differently
             depending on who is asking. It is particularly useful for
             implementing
             split DNS setups without having to run multiple servers.
           </p>
 <p>
             Each <span><strong class="command">view</strong></span> statement defines a view
             of the
             DNS namespace that will be seen by a subset of clients.  A client
             matches
             a view if its source IP address matches the
             <code class="varname">address_match_list</code> of the view's
             <span><strong class="command">match-clients</strong></span> clause and its
             destination IP address matches
             the <code class="varname">address_match_list</code> of the
             view's
             <span><strong class="command">match-destinations</strong></span> clause.  If not
             specified, both
             <span><strong class="command">match-clients</strong></span> and <span><strong class="command">match-destinations</strong></span>
             default to matching all addresses.  In addition to checking IP
             addresses
             <span><strong class="command">match-clients</strong></span> and <span><strong class="command">match-destinations</strong></span>
             can also take <span><strong class="command">keys</strong></span> which provide an
             mechanism for the
             client to select the view.  A view can also be specified
             as <span><strong class="command">match-recursive-only</strong></span>, which
             means that only recursive
             requests from matching clients will match that view.
             The order of the <span><strong class="command">view</strong></span> statements is
             significant &#8212;
             a client request will be resolved in the context of the first
             <span><strong class="command">view</strong></span> that it matches.
           </p>
 <p>
             Zones defined within a <span><strong class="command">view</strong></span>
             statement will
             only be accessible to clients that match the <span><strong class="command">view</strong></span>.
             By defining a zone of the same name in multiple views, different
             zone data can be given to different clients, for example,
             "internal"
             and "external" clients in a split DNS setup.
           </p>
 <p>
             Many of the options given in the <span><strong class="command">options</strong></span> statement
             can also be used within a <span><strong class="command">view</strong></span>
             statement, and then
             apply only when resolving queries with that view.  When no
             view-specific
             value is given, the value in the <span><strong class="command">options</strong></span> statement
             is used as a default.  Also, zone options can have default values
             specified
             in the <span><strong class="command">view</strong></span> statement; these
             view-specific defaults
             take precedence over those in the <span><strong class="command">options</strong></span> statement.
           </p>
 <p>
             Views are class specific.  If no class is given, class IN
             is assumed.  Note that all non-IN views must contain a hint zone,
             since only the IN class has compiled-in default hints.
           </p>
 <p>
             If there are no <span><strong class="command">view</strong></span> statements in
             the config
             file, a default view that matches any client is automatically
             created
             in class IN. Any <span><strong class="command">zone</strong></span> statements
             specified on
             the top level of the configuration file are considered to be part
             of
             this default view, and the <span><strong class="command">options</strong></span>
             statement will
             apply to the default view. If any explicit <span><strong class="command">view</strong></span>
             statements are present, all <span><strong class="command">zone</strong></span>
             statements must
             occur inside <span><strong class="command">view</strong></span> statements.
           </p>
 <p>
             Here is an example of a typical split DNS setup implemented
             using <span><strong class="command">view</strong></span> statements:
           </p>
 <pre class="programlisting">view "internal" {
       // This should match our internal networks.
       match-clients { 10.0.0.0/8; };
 
       // Provide recursive service to internal
       // clients only.
       recursion yes;
 
       // Provide a complete view of the example.com
       // zone including addresses of internal hosts.
       zone "example.com" {
             type master;
             file "example-internal.db";
       };
 };
 
 view "external" {
       // Match all clients not matched by the
       // previous view.
       match-clients { any; };
 
       // Refuse recursive service to external clients.
       recursion no;
 
       // Provide a restricted view of the example.com
       // zone containing only publicly accessible hosts.
       zone "example.com" {
            type master;
            file "example-external.db";
       };
 };
 </pre>
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="zone_statement_grammar"></a><span><strong class="command">zone</strong></span>
             Statement Grammar</h3></div></div></div>
 <pre class="programlisting"><span><strong class="command">zone</strong></span> <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
     type master;
     [<span class="optional"> allow-query { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
     [<span class="optional"> allow-query-on { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
     [<span class="optional"> allow-transfer { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
     [<span class="optional"> allow-update { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
     [<span class="optional"> update-check-ksk <em class="replaceable"><code>yes_or_no</code></em>; </span>]
     [<span class="optional"> dnssec-dnskey-kskonly <em class="replaceable"><code>yes_or_no</code></em>; </span>]
     [<span class="optional"> dnssec-loadkeys-interval <em class="replaceable"><code>number</code></em>; </span>]
     [<span class="optional"> update-policy <em class="replaceable"><code>local</code></em> | { <em class="replaceable"><code>update_policy_rule</code></em> [<span class="optional">...</span>] }; </span>]
     [<span class="optional"> also-notify { <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ;
                   [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
     [<span class="optional"> check-names (<code class="constant">warn</code>|<code class="constant">fail</code>|<code class="constant">ignore</code>) ; </span>]
     [<span class="optional"> check-mx (<code class="constant">warn</code>|<code class="constant">fail</code>|<code class="constant">ignore</code>) ; </span>]
     [<span class="optional"> check-wildcard <em class="replaceable"><code>yes_or_no</code></em>; </span>]
     [<span class="optional"> check-spf ( <em class="replaceable"><code>warn</code></em> | <em class="replaceable"><code>ignore</code></em> ); </span>]
     [<span class="optional"> check-integrity <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
     [<span class="optional"> dialup <em class="replaceable"><code>dialup_option</code></em> ; </span>]
     [<span class="optional"> file <em class="replaceable"><code>string</code></em> ; </span>]
     [<span class="optional"> masterfile-format (<code class="constant">text</code>|<code class="constant">raw</code>) ; </span>]
     [<span class="optional"> journal <em class="replaceable"><code>string</code></em> ; </span>]
     [<span class="optional"> max-journal-size <em class="replaceable"><code>size_spec</code></em>; </span>]
     [<span class="optional"> forward (<code class="constant">only</code>|<code class="constant">first</code>) ; </span>]
     [<span class="optional"> forwarders { [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
     [<span class="optional"> ixfr-base <em class="replaceable"><code>string</code></em> ; </span>]
     [<span class="optional"> ixfr-from-differences <em class="replaceable"><code>yes_or_no</code></em>; </span>]
     [<span class="optional"> ixfr-tmp-file <em class="replaceable"><code>string</code></em> ; </span>]
     [<span class="optional"> request-ixfr <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
     [<span class="optional"> maintain-ixfr-base <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
     [<span class="optional"> max-ixfr-log-size <em class="replaceable"><code>number</code></em> ; </span>]
     [<span class="optional"> max-transfer-idle-out <em class="replaceable"><code>number</code></em> ; </span>]
     [<span class="optional"> max-transfer-time-out <em class="replaceable"><code>number</code></em> ; </span>]
     [<span class="optional"> notify <em class="replaceable"><code>yes_or_no</code></em> | <em class="replaceable"><code>explicit</code></em> | <em class="replaceable"><code>master-only</code></em> ; </span>]
     [<span class="optional"> notify-delay <em class="replaceable"><code>seconds</code></em> ; </span>]
     [<span class="optional"> notify-to-soa <em class="replaceable"><code>yes_or_no</code></em>; </span>]
     [<span class="optional"> pubkey <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ; </span>]
     [<span class="optional"> notify-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
     [<span class="optional"> notify-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
     [<span class="optional"> zone-statistics <em class="replaceable"><code>full</code></em> | <em class="replaceable"><code>terse</code></em> | <em class="replaceable"><code>none</code></em>; </span>]
     [<span class="optional"> sig-validity-interval <em class="replaceable"><code>number</code></em> [<span class="optional"><em class="replaceable"><code>number</code></em></span>] ; </span>]
     [<span class="optional"> sig-signing-nodes <em class="replaceable"><code>number</code></em> ; </span>]
     [<span class="optional"> sig-signing-signatures <em class="replaceable"><code>number</code></em> ; </span>]
     [<span class="optional"> sig-signing-type <em class="replaceable"><code>number</code></em> ; </span>]
     [<span class="optional"> database <em class="replaceable"><code>string</code></em> ; </span>]
     [<span class="optional"> min-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
     [<span class="optional"> max-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
     [<span class="optional"> min-retry-time <em class="replaceable"><code>number</code></em> ; </span>]
     [<span class="optional"> max-retry-time <em class="replaceable"><code>number</code></em> ; </span>]
     [<span class="optional"> key-directory <em class="replaceable"><code>path_name</code></em>; </span>]
     [<span class="optional"> auto-dnssec <code class="constant">allow</code>|<code class="constant">maintain</code>|<code class="constant">off</code>; </span>]
     [<span class="optional"> inline-signing <em class="replaceable"><code>yes_or_no</code></em>; </span>]
     [<span class="optional"> zero-no-soa-ttl <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
     [<span class="optional"> serial-update-method <code class="constant">increment</code>|<code class="constant">unixtime</code>; </span>]
 };
 
 zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
     type slave;
     [<span class="optional"> allow-notify { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
     [<span class="optional"> allow-query { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
     [<span class="optional"> allow-query-on { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
     [<span class="optional"> allow-transfer { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
     [<span class="optional"> allow-update-forwarding { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
     [<span class="optional"> dnssec-update-mode ( <em class="replaceable"><code>maintain</code></em> | <em class="replaceable"><code>no-resign</code></em> ); </span>]
     [<span class="optional"> update-check-ksk <em class="replaceable"><code>yes_or_no</code></em>; </span>]
     [<span class="optional"> dnssec-dnskey-kskonly <em class="replaceable"><code>yes_or_no</code></em>; </span>]
     [<span class="optional"> dnssec-loadkeys-interval <em class="replaceable"><code>number</code></em>; </span>]
     [<span class="optional"> dnssec-secure-to-insecure <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
     [<span class="optional"> try-tcp-refresh <em class="replaceable"><code>yes_or_no</code></em>; </span>]
     [<span class="optional"> also-notify [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] { ( <em class="replaceable"><code>masters_list</code></em> | <em class="replaceable"><code>ip_addr</code></em>
                               [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>]
                               [<span class="optional">key <em class="replaceable"><code>key</code></em></span>] ) ; [<span class="optional">...</span>] }; </span>]
     [<span class="optional"> check-names (<code class="constant">warn</code>|<code class="constant">fail</code>|<code class="constant">ignore</code>) ; </span>]
     [<span class="optional"> dialup <em class="replaceable"><code>dialup_option</code></em> ; </span>]
     [<span class="optional"> file <em class="replaceable"><code>string</code></em> ; </span>]
     [<span class="optional"> masterfile-format (<code class="constant">text</code>|<code class="constant">raw</code>) ; </span>]
     [<span class="optional"> journal <em class="replaceable"><code>string</code></em> ; </span>]
     [<span class="optional"> max-journal-size <em class="replaceable"><code>size_spec</code></em>; </span>]
     [<span class="optional"> forward (<code class="constant">only</code>|<code class="constant">first</code>) ; </span>]
     [<span class="optional"> forwarders { [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
     [<span class="optional"> ixfr-base <em class="replaceable"><code>string</code></em> ; </span>]
     [<span class="optional"> ixfr-from-differences <em class="replaceable"><code>yes_or_no</code></em>; </span>]
     [<span class="optional"> ixfr-tmp-file <em class="replaceable"><code>string</code></em> ; </span>]
     [<span class="optional"> maintain-ixfr-base <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
     [<span class="optional"> masters [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] { ( <em class="replaceable"><code>masters_list</code></em> | <em class="replaceable"><code>ip_addr</code></em>
                               [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>]
                               [<span class="optional">key <em class="replaceable"><code>key</code></em></span>] ) ; [<span class="optional">...</span>] }; </span>]
     [<span class="optional"> max-ixfr-log-size <em class="replaceable"><code>number</code></em> ; </span>]
     [<span class="optional"> max-transfer-idle-in <em class="replaceable"><code>number</code></em> ; </span>]
     [<span class="optional"> max-transfer-idle-out <em class="replaceable"><code>number</code></em> ; </span>]
     [<span class="optional"> max-transfer-time-in <em class="replaceable"><code>number</code></em> ; </span>]
     [<span class="optional"> max-transfer-time-out <em class="replaceable"><code>number</code></em> ; </span>]
     [<span class="optional"> notify <em class="replaceable"><code>yes_or_no</code></em> | <em class="replaceable"><code>explicit</code></em> | <em class="replaceable"><code>master-only</code></em> ; </span>]
     [<span class="optional"> notify-delay <em class="replaceable"><code>seconds</code></em> ; </span>]
     [<span class="optional"> notify-to-soa <em class="replaceable"><code>yes_or_no</code></em>; </span>]
     [<span class="optional"> pubkey <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ; </span>]
     [<span class="optional"> transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
     [<span class="optional"> transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
     [<span class="optional"> alt-transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
     [<span class="optional"> alt-transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>)
                              [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
     [<span class="optional"> use-alt-transfer-source <em class="replaceable"><code>yes_or_no</code></em>; </span>]
     [<span class="optional"> notify-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
     [<span class="optional"> notify-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
     [<span class="optional"> zone-statistics <em class="replaceable"><code>full</code></em> | <em class="replaceable"><code>terse</code></em> | <em class="replaceable"><code>none</code></em>; </span>]
     [<span class="optional"> sig-validity-interval <em class="replaceable"><code>number</code></em> [<span class="optional"><em class="replaceable"><code>number</code></em></span>] ; </span>]
     [<span class="optional"> sig-signing-nodes <em class="replaceable"><code>number</code></em> ; </span>]
     [<span class="optional"> sig-signing-signatures <em class="replaceable"><code>number</code></em> ; </span>]
     [<span class="optional"> sig-signing-type <em class="replaceable"><code>number</code></em> ; </span>]
     [<span class="optional"> database <em class="replaceable"><code>string</code></em> ; </span>]
     [<span class="optional"> min-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
     [<span class="optional"> max-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
     [<span class="optional"> min-retry-time <em class="replaceable"><code>number</code></em> ; </span>]
     [<span class="optional"> max-retry-time <em class="replaceable"><code>number</code></em> ; </span>]
     [<span class="optional"> key-directory <em class="replaceable"><code>path_name</code></em>; </span>]
     [<span class="optional"> auto-dnssec <code class="constant">allow</code>|<code class="constant">maintain</code>|<code class="constant">off</code>; </span>]
     [<span class="optional"> inline-signing <em class="replaceable"><code>yes_or_no</code></em>; </span>]
     [<span class="optional"> multi-master <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
     [<span class="optional"> zero-no-soa-ttl <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
 };
 
 zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
     type hint;
     file <em class="replaceable"><code>string</code></em> ;
     [<span class="optional"> delegation-only <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
     [<span class="optional"> check-names (<code class="constant">warn</code>|<code class="constant">fail</code>|<code class="constant">ignore</code>) ; </span>] // Not Implemented.
 };
 
 zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
     type stub;
     [<span class="optional"> allow-query { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
     [<span class="optional"> allow-query-on { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
     [<span class="optional"> check-names (<code class="constant">warn</code>|<code class="constant">fail</code>|<code class="constant">ignore</code>) ; </span>]
     [<span class="optional"> dialup <em class="replaceable"><code>dialup_option</code></em> ; </span>]
     [<span class="optional"> delegation-only <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
     [<span class="optional"> file <em class="replaceable"><code>string</code></em> ; </span>]
     [<span class="optional"> masterfile-format (<code class="constant">text</code>|<code class="constant">raw</code>) ; </span>]
     [<span class="optional"> forward (<code class="constant">only</code>|<code class="constant">first</code>) ; </span>]
     [<span class="optional"> forwarders { [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
     [<span class="optional"> masters [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] { ( <em class="replaceable"><code>masters_list</code></em> | <em class="replaceable"><code>ip_addr</code></em>
                               [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>]
                               [<span class="optional">key <em class="replaceable"><code>key</code></em></span>] ) ; [<span class="optional">...</span>] }; </span>]
     [<span class="optional"> max-transfer-idle-in <em class="replaceable"><code>number</code></em> ; </span>]
     [<span class="optional"> max-transfer-time-in <em class="replaceable"><code>number</code></em> ; </span>]
     [<span class="optional"> pubkey <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ; </span>]
     [<span class="optional"> transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
     [<span class="optional"> transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>)
                          [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
     [<span class="optional"> alt-transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
     [<span class="optional"> alt-transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>)
                             [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
     [<span class="optional"> use-alt-transfer-source <em class="replaceable"><code>yes_or_no</code></em>; </span>]
     [<span class="optional"> zone-statistics <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
     [<span class="optional"> database <em class="replaceable"><code>string</code></em> ; </span>]
     [<span class="optional"> min-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
     [<span class="optional"> max-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
     [<span class="optional"> min-retry-time <em class="replaceable"><code>number</code></em> ; </span>]
     [<span class="optional"> max-retry-time <em class="replaceable"><code>number</code></em> ; </span>]
     [<span class="optional"> multi-master <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
 };
 
 zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
     type static-stub;
     [<span class="optional"> allow-query { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
     [<span class="optional"> server-addresses { [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> ; ... </span>] }; </span>]
     [<span class="optional"> server-names { [<span class="optional"> <em class="replaceable"><code>namelist</code></em> </span>] }; </span>]  
     [<span class="optional"> zone-statistics <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
 };
 
 zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
     type forward;
     [<span class="optional"> forward (<code class="constant">only</code>|<code class="constant">first</code>) ; </span>]
     [<span class="optional"> forwarders { [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
     [<span class="optional"> delegation-only <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
 };
 
 zone <em class="replaceable"><code>"."</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
     type redirect;
     file <em class="replaceable"><code>string</code></em> ;
     [<span class="optional"> masterfile-format (<code class="constant">text</code>|<code class="constant">raw</code>) ; </span>]
     [<span class="optional"> allow-query { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
 };
 
 zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
     type delegation-only;
 };
 
 </pre>
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="id2592987"></a><span><strong class="command">zone</strong></span> Statement Definition and Usage</h3></div></div></div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="id2592995"></a>Zone Types</h4></div></div></div>
 <div class="informaltable"><table border="1">
 <colgroup>
 <col>
 <col>
 </colgroup>
 <tbody>
 <tr>
 <td>
                       <p>
                         <code class="varname">master</code>
                       </p>
                     </td>
 <td>
                       <p>
                         The server has a master copy of the data
                         for the zone and will be able to provide authoritative
                         answers for
                         it.
                       </p>
                     </td>
 </tr>
 <tr>
 <td>
                       <p>
                         <code class="varname">slave</code>
                       </p>
                     </td>
 <td>
                       <p>
                         A slave zone is a replica of a master
                         zone. The <span><strong class="command">masters</strong></span> list
                         specifies one or more IP addresses
                         of master servers that the slave contacts to update
                         its copy of the zone.
                         Masters list elements can also be names of other
                         masters lists.
                         By default, transfers are made from port 53 on the
                         servers; this can
                         be changed for all servers by specifying a port number
                         before the
                         list of IP addresses, or on a per-server basis after
                         the IP address.
                         Authentication to the master can also be done with
                         per-server TSIG keys.
                         If a file is specified, then the
                         replica will be written to this file whenever the zone
                         is changed,
                         and reloaded from this file on a server restart. Use
                         of a file is
                         recommended, since it often speeds server startup and
                         eliminates
                         a needless waste of bandwidth. Note that for large
                         numbers (in the
                         tens or hundreds of thousands) of zones per server, it
                         is best to
                         use a two-level naming scheme for zone filenames. For
                         example,
                         a slave server for the zone <code class="literal">example.com</code> might place
                         the zone contents into a file called
                         <code class="filename">ex/example.com</code> where <code class="filename">ex/</code> is
                         just the first two letters of the zone name. (Most
                         operating systems
                         behave very slowly if you put 100000 files into
                         a single directory.)
                       </p>
                     </td>
 </tr>
 <tr>
 <td>
                       <p>
                         <code class="varname">stub</code>
                       </p>
                     </td>
 <td>
                       <p>
                         A stub zone is similar to a slave zone,
                         except that it replicates only the NS records of a
                         master zone instead
                         of the entire zone. Stub zones are not a standard part
                         of the DNS;
                         they are a feature specific to the <acronym class="acronym">BIND</acronym> implementation.
                       </p>
 
                       <p>
                         Stub zones can be used to eliminate the need for glue
                         NS record
                         in a parent zone at the expense of maintaining a stub
                         zone entry and
                         a set of name server addresses in <code class="filename">named.conf</code>.
                         This usage is not recommended for new configurations,
                         and BIND 9
                         supports it only in a limited way.
                         In <acronym class="acronym">BIND</acronym> 4/8, zone
                         transfers of a parent zone
                         included the NS records from stub children of that
                         zone. This meant
                         that, in some cases, users could get away with
                         configuring child stubs
                         only in the master server for the parent zone. <acronym class="acronym">BIND</acronym>
                         9 never mixes together zone data from different zones
                         in this
                         way. Therefore, if a <acronym class="acronym">BIND</acronym> 9 master serving a parent
                         zone has child stub zones configured, all the slave
                         servers for the
                         parent zone also need to have the same child stub
                         zones
                         configured.
                       </p>
 
                       <p>
                         Stub zones can also be used as a way of forcing the
                         resolution
                         of a given domain to use a particular set of
                         authoritative servers.
                         For example, the caching name servers on a private
                         network using
                         RFC1918 addressing may be configured with stub zones
                         for
                         <code class="literal">10.in-addr.arpa</code>
                         to use a set of internal name servers as the
                         authoritative
                         servers for that domain.
                       </p>
                     </td>
 </tr>
 <tr>
 <td>
                       <p>
                         <code class="varname">static-stub</code>
                       </p>
                     </td>
 <td>
                       <p>
                         A static-stub zone is similar to a stub zone
                         with the following exceptions:
                         the zone data is statically configured, rather
                         than transferred from a master server;
                         when recursion is necessary for a query that
                         matches a static-stub zone, the locally
                         configured data (nameserver names and glue addresses)
                         is always used even if different authoritative
                         information is cached.
                       </p>
                       <p>
                         Zone data is configured via the
                         <span><strong class="command">server-addresses</strong></span> and
                         <span><strong class="command">server-names</strong></span> zone options.
                       </p>
                       <p>
                         The zone data is maintained in the form of NS
                         and (if necessary) glue A or AAAA RRs
                         internally, which can be seen by dumping zone
                         databases by <span><strong class="command">rndc dumpdb -all</strong></span>.
                         The configured RRs are considered local configuration
                         parameters rather than public data.
                         Non recursive queries (i.e., those with the RD
                         bit off) to a static-stub zone are therefore
                         prohibited and will be responded with REFUSED.
                       </p>
                       <p>
                         Since the data is statically configured, no
                         zone maintenance action takes place for a static-stub
                         zone.
                         For example, there is no periodic refresh
                         attempt, and an incoming notify message
                         will be rejected with an rcode of NOTAUTH.
                       </p>
                       <p>
                         Each static-stub zone is configured with
                         internally generated NS and (if necessary)
                         glue A or AAAA RRs 
                       </p>
                     </td>
 </tr>
 <tr>
 <td>
                       <p>
                         <code class="varname">forward</code>
                       </p>
                     </td>
 <td>
                       <p>
                         A "forward zone" is a way to configure
                         forwarding on a per-domain basis.  A <span><strong class="command">zone</strong></span> statement
                         of type <span><strong class="command">forward</strong></span> can
                         contain a <span><strong class="command">forward</strong></span>
                         and/or <span><strong class="command">forwarders</strong></span>
                         statement,
                         which will apply to queries within the domain given by
                         the zone
                         name. If no <span><strong class="command">forwarders</strong></span>
                         statement is present or
                         an empty list for <span><strong class="command">forwarders</strong></span> is given, then no
                         forwarding will be done for the domain, canceling the
                         effects of
                         any forwarders in the <span><strong class="command">options</strong></span> statement. Thus
                         if you want to use this type of zone to change the
                         behavior of the
                         global <span><strong class="command">forward</strong></span> option
                         (that is, "forward first"
                         to, then "forward only", or vice versa, but want to
                         use the same
                         servers as set globally) you need to re-specify the
                         global forwarders.
                       </p>
                     </td>
 </tr>
 <tr>
 <td>
                       <p>
                         <code class="varname">hint</code>
                       </p>
                     </td>
 <td>
                       <p>
                         The initial set of root name servers is
                         specified using a "hint zone". When the server starts
                         up, it uses
                         the root hints to find a root name server and get the
                         most recent
                         list of root name servers. If no hint zone is
                         specified for class
                         IN, the server uses a compiled-in default set of root
                         servers hints.
                         Classes other than IN have no built-in defaults hints.
                       </p>
                     </td>
 </tr>
 <tr>
 <td>
                       <p>
                         <code class="varname">redirect</code>
                       </p>
                     </td>
 <td>
                       <p>
                         Redirect zones are used to provide answers to
                         queries when normal resolution would result in
                         NXDOMAIN being returned.
                         Only one redirect zone is supported
                         per view.  <span><strong class="command">allow-query</strong></span> can be
                         used to restrict which clients see these answers.
                       </p>
                       <p>
                         If the client has requested DNSSEC records (DO=1) and
                         the NXDOMAIN response is signed then no substitution
                         will occur.
                       </p>
                       <p>
                         To redirect all NXDOMAIN responses to
                         100.100.100.2 and
                         2001:ffff:ffff::100.100.100.2, one would
                         configure a type redirect zone named ".",
                         with the zone file containing wildcard records
                         that point to the desired addresses: 
                         <code class="literal">"*. IN A 100.100.100.2"</code>
                         and
                         <code class="literal">"*. IN AAAA 2001:ffff:ffff::100.100.100.2"</code>.
                       </p>
                       <p>
                         To redirect all Spanish names (under .ES) one
                         would use similar entries but with the names
                         "*.ES." instead of "*.".  To redirect all 
                         commercial Spanish names (under COM.ES) one
                         would use wildcard entries called "*.COM.ES.".
                       </p>
                       <p>
                         Note that the redirect zone supports all
                         possible types; it is not limited to A and
                         AAAA records.
                       </p>
                       <p>
                         Because redirect zones are not referenced
                         directly by name, they are not kept in the
                         zone lookup table with normal master and slave
                         zones. Consequently, it is not currently possible
                         to use
                         <span><strong class="command">rndc reload
                                 <em class="replaceable"><code>zonename</code></em></strong></span>
                         to reload a redirect zone.  However, when using
                         <span><strong class="command">rndc reload</strong></span> without specifying
                         a zone name, redirect zones will be reloaded along
                         with other zones.
                       </p>
                     </td>
 </tr>
 <tr>
 <td>
                       <p>
                         <code class="varname">delegation-only</code>
                       </p>
                     </td>
 <td>
                       <p>
                         This is used to enforce the delegation-only
                         status of infrastructure zones (e.g. COM,
                         NET, ORG).  Any answer that is received
                         without an explicit or implicit delegation
                         in the authority section will be treated
                         as NXDOMAIN.  This does not apply to the
                         zone apex.  This should not be applied to
                         leaf zones.
                       </p>
                       <p>
                         <code class="varname">delegation-only</code> has no
                         effect on answers received from forwarders.
                       </p>
                       <p>
                         See caveats in <a href="Bv9ARM.ch06.html#root_delegation_only"><span><strong class="command">root-delegation-only</strong></span></a>.
                       </p>
                     </td>
 </tr>
 </tbody>
 </table></div>
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="id2593739"></a>Class</h4></div></div></div>
 <p>
               The zone's name may optionally be followed by a class. If
               a class is not specified, class <code class="literal">IN</code> (for <code class="varname">Internet</code>),
               is assumed. This is correct for the vast majority of cases.
             </p>
 <p>
               The <code class="literal">hesiod</code> class is
               named for an information service from MIT's Project Athena. It
               is
               used to share information about various systems databases, such
               as users, groups, printers and so on. The keyword
               <code class="literal">HS</code> is
               a synonym for hesiod.
             </p>
 <p>
               Another MIT development is Chaosnet, a LAN protocol created
               in the mid-1970s. Zone data for it can be specified with the <code class="literal">CHAOS</code> class.
             </p>
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="id2593772"></a>Zone Options</h4></div></div></div>
 <div class="variablelist"><dl>
 <dt><span class="term"><span><strong class="command">allow-notify</strong></span></span></dt>
 <dd><p>
                     See the description of
                     <span><strong class="command">allow-notify</strong></span> in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called &#8220;Access Control&#8221;</a>.
                   </p></dd>
 <dt><span class="term"><span><strong class="command">allow-query</strong></span></span></dt>
 <dd><p>
                     See the description of
                     <span><strong class="command">allow-query</strong></span> in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called &#8220;Access Control&#8221;</a>.
                   </p></dd>
 <dt><span class="term"><span><strong class="command">allow-query-on</strong></span></span></dt>
 <dd><p>
                     See the description of
                     <span><strong class="command">allow-query-on</strong></span> in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called &#8220;Access Control&#8221;</a>.
                   </p></dd>
 <dt><span class="term"><span><strong class="command">allow-transfer</strong></span></span></dt>
 <dd><p>
                     See the description of <span><strong class="command">allow-transfer</strong></span>
                     in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called &#8220;Access Control&#8221;</a>.
                   </p></dd>
 <dt><span class="term"><span><strong class="command">allow-update</strong></span></span></dt>
 <dd><p>
                     See the description of <span><strong class="command">allow-update</strong></span>
                     in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called &#8220;Access Control&#8221;</a>.
                   </p></dd>
 <dt><span class="term"><span><strong class="command">update-policy</strong></span></span></dt>
 <dd><p>
                     Specifies a "Simple Secure Update" policy. See
                     <a href="Bv9ARM.ch06.html#dynamic_update_policies" title="Dynamic Update Policies">the section called &#8220;Dynamic Update Policies&#8221;</a>.
                   </p></dd>
 <dt><span class="term"><span><strong class="command">allow-update-forwarding</strong></span></span></dt>
 <dd><p>
                     See the description of <span><strong class="command">allow-update-forwarding</strong></span>
                     in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called &#8220;Access Control&#8221;</a>.
                   </p></dd>
 <dt><span class="term"><span><strong class="command">also-notify</strong></span></span></dt>
 <dd><p>
                     Only meaningful if <span><strong class="command">notify</strong></span>
                     is
                     active for this zone. The set of machines that will
                     receive a
                     <code class="literal">DNS NOTIFY</code> message
                     for this zone is made up of all the listed name servers
                     (other than
                     the primary master) for the zone plus any IP addresses
                     specified
                     with <span><strong class="command">also-notify</strong></span>. A port
                     may be specified
                     with each <span><strong class="command">also-notify</strong></span>
                     address to send the notify
                     messages to a port other than the default of 53.
                     A TSIG key may also be specified to cause the
                     <code class="literal">NOTIFY</code> to be signed by the
                     given key.
                     <span><strong class="command">also-notify</strong></span> is not
                     meaningful for stub zones.
                     The default is the empty list.
                   </p></dd>
 <dt><span class="term"><span><strong class="command">check-names</strong></span></span></dt>
 <dd><p>
                     This option is used to restrict the character set and
                     syntax of
                     certain domain names in master files and/or DNS responses
                     received from the
                     network.  The default varies according to zone type.  For <span><strong class="command">master</strong></span> zones the default is <span><strong class="command">fail</strong></span>.  For <span><strong class="command">slave</strong></span>
                     zones the default is <span><strong class="command">warn</strong></span>.
                     It is not implemented for <span><strong class="command">hint</strong></span> zones.
                   </p></dd>
 <dt><span class="term"><span><strong class="command">check-mx</strong></span></span></dt>
 <dd><p>
                     See the description of
                     <span><strong class="command">check-mx</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a>.
                   </p></dd>
 <dt><span class="term"><span><strong class="command">check-spf</strong></span></span></dt>
 <dd><p>
                     See the description of
                     <span><strong class="command">check-spf</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a>.
                   </p></dd>
 <dt><span class="term"><span><strong class="command">check-wildcard</strong></span></span></dt>
 <dd><p>
                     See the description of
                     <span><strong class="command">check-wildcard</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a>.
                   </p></dd>
 <dt><span class="term"><span><strong class="command">check-integrity</strong></span></span></dt>
 <dd><p>
                     See the description of
                     <span><strong class="command">check-integrity</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a>.
                   </p></dd>
 <dt><span class="term"><span><strong class="command">check-sibling</strong></span></span></dt>
 <dd><p>
                     See the description of
                     <span><strong class="command">check-sibling</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a>.
                   </p></dd>
 <dt><span class="term"><span><strong class="command">zero-no-soa-ttl</strong></span></span></dt>
 <dd><p>
                     See the description of
                     <span><strong class="command">zero-no-soa-ttl</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a>.
                   </p></dd>
 <dt><span class="term"><span><strong class="command">update-check-ksk</strong></span></span></dt>
 <dd><p>
                     See the description of
                     <span><strong class="command">update-check-ksk</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a>.
                   </p></dd>
 <dt><span class="term"><span><strong class="command">dnssec-update-mode</strong></span></span></dt>
 <dd><p>
                     See the description of
                     <span><strong class="command">dnssec-update-mode</strong></span> in <a href="Bv9ARM.ch06.html#options" title="options Statement Definition and
           Usage">the section called &#8220;<span><strong class="command">options</strong></span> Statement Definition and
           Usage&#8221;</a>.
                   </p></dd>
 <dt><span class="term"><span><strong class="command">dnssec-dnskey-kskonly</strong></span></span></dt>
 <dd><p>
                     See the description of
                     <span><strong class="command">dnssec-dnskey-kskonly</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a>.
                   </p></dd>
 <dt><span class="term"><span><strong class="command">try-tcp-refresh</strong></span></span></dt>
 <dd><p>
                     See the description of
                     <span><strong class="command">try-tcp-refresh</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a>.
                   </p></dd>
 <dt><span class="term"><span><strong class="command">database</strong></span></span></dt>
 <dd>
 <p>
                     Specify the type of database to be used for storing the
                     zone data.  The string following the <span><strong class="command">database</strong></span> keyword
                     is interpreted as a list of whitespace-delimited words.
                     The first word
                     identifies the database type, and any subsequent words are
                     passed
                     as arguments to the database to be interpreted in a way
                     specific
                     to the database type.
                   </p>
 <p>
                     The default is <strong class="userinput"><code>"rbt"</code></strong>, BIND 9's
                     native in-memory
                     red-black-tree database.  This database does not take
                     arguments.
                   </p>
 <p>
                     Other values are possible if additional database drivers
                     have been linked into the server.  Some sample drivers are
                     included
                     with the distribution but none are linked in by default.
                   </p>
 </dd>
 <dt><span class="term"><span><strong class="command">dialup</strong></span></span></dt>
 <dd><p>
                     See the description of
                     <span><strong class="command">dialup</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a>.
                   </p></dd>
 <dt><span class="term"><span><strong class="command">delegation-only</strong></span></span></dt>
 <dd>
 <p>
                     The flag only applies to forward, hint and stub
                     zones.  If set to <strong class="userinput"><code>yes</code></strong>,
                     then the zone will also be treated as if it is
                     also a delegation-only type zone.
                   </p>
 <p>
                     See caveats in <a href="Bv9ARM.ch06.html#root_delegation_only"><span><strong class="command">root-delegation-only</strong></span></a>.
                   </p>
 </dd>
 <dt><span class="term"><span><strong class="command">forward</strong></span></span></dt>
 <dd><p>
                     Only meaningful if the zone has a forwarders
                     list. The <span><strong class="command">only</strong></span> value causes
                     the lookup to fail
                     after trying the forwarders and getting no answer, while <span><strong class="command">first</strong></span> would
                     allow a normal lookup to be tried.
                   </p></dd>
 <dt><span class="term"><span><strong class="command">forwarders</strong></span></span></dt>
 <dd><p>
                     Used to override the list of global forwarders.
                     If it is not specified in a zone of type <span><strong class="command">forward</strong></span>,
                     no forwarding is done for the zone and the global options are
                     not used.
                   </p></dd>
 <dt><span class="term"><span><strong class="command">ixfr-base</strong></span></span></dt>
 <dd><p>
                     Was used in <acronym class="acronym">BIND</acronym> 8 to
                     specify the name
                     of the transaction log (journal) file for dynamic update
                     and IXFR.
                     <acronym class="acronym">BIND</acronym> 9 ignores the option
                     and constructs the name of the journal
                     file by appending "<code class="filename">.jnl</code>"
                     to the name of the
                     zone file.
                   </p></dd>
 <dt><span class="term"><span><strong class="command">ixfr-tmp-file</strong></span></span></dt>
 <dd><p>
                     Was an undocumented option in <acronym class="acronym">BIND</acronym> 8.
                     Ignored in <acronym class="acronym">BIND</acronym> 9.
                   </p></dd>
 <dt><span class="term"><span><strong class="command">journal</strong></span></span></dt>
 <dd><p>
                     Allow the default journal's filename to be overridden.
                     The default is the zone's filename with "<code class="filename">.jnl</code>" appended.
                     This is applicable to <span><strong class="command">master</strong></span> and <span><strong class="command">slave</strong></span> zones.
                   </p></dd>
 <dt><span class="term"><span><strong class="command">max-journal-size</strong></span></span></dt>
 <dd><p>
                     See the description of
                     <span><strong class="command">max-journal-size</strong></span> in <a href="Bv9ARM.ch06.html#server_resource_limits" title="Server  Resource Limits">the section called &#8220;Server  Resource Limits&#8221;</a>.
                   </p></dd>
 <dt><span class="term"><span><strong class="command">max-transfer-time-in</strong></span></span></dt>
 <dd><p>
                     See the description of
                     <span><strong class="command">max-transfer-time-in</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.
                   </p></dd>
 <dt><span class="term"><span><strong class="command">max-transfer-idle-in</strong></span></span></dt>
 <dd><p>
                     See the description of
                     <span><strong class="command">max-transfer-idle-in</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.
                   </p></dd>
 <dt><span class="term"><span><strong class="command">max-transfer-time-out</strong></span></span></dt>
 <dd><p>
                     See the description of
                     <span><strong class="command">max-transfer-time-out</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.
                   </p></dd>
 <dt><span class="term"><span><strong class="command">max-transfer-idle-out</strong></span></span></dt>
 <dd><p>
                     See the description of
                     <span><strong class="command">max-transfer-idle-out</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.
                   </p></dd>
 <dt><span class="term"><span><strong class="command">notify</strong></span></span></dt>
 <dd><p>
                     See the description of
                     <span><strong class="command">notify</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a>.
                   </p></dd>
 <dt><span class="term"><span><strong class="command">notify-delay</strong></span></span></dt>
 <dd><p>
                     See the description of
                     <span><strong class="command">notify-delay</strong></span> in <a href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called &#8220;Tuning&#8221;</a>.
                   </p></dd>
 <dt><span class="term"><span><strong class="command">notify-to-soa</strong></span></span></dt>
 <dd><p>
                     See the description of
                     <span><strong class="command">notify-to-soa</strong></span> in
                     <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a>.
                   </p></dd>
 <dt><span class="term"><span><strong class="command">pubkey</strong></span></span></dt>
 <dd><p>
                     In <acronym class="acronym">BIND</acronym> 8, this option was
                     intended for specifying
                     a public zone key for verification of signatures in DNSSEC
                     signed
                     zones when they are loaded from disk. <acronym class="acronym">BIND</acronym> 9 does not verify signatures
                     on load and ignores the option.
                   </p></dd>
 <dt><span class="term"><span><strong class="command">zone-statistics</strong></span></span></dt>
 <dd><p>
                     If <strong class="userinput"><code>yes</code></strong>, the server will keep
                     statistical
                     information for this zone, which can be dumped to the
                     <span><strong class="command">statistics-file</strong></span> defined in
                     the server options.
                   </p></dd>
 <dt><span class="term"><span><strong class="command">server-addresses</strong></span></span></dt>
 <dd>
 <p>
                     Only meaningful for static-stub zones.
                     This is a list of IP addresses to which queries
                     should be sent in recursive resolution for the
                     zone.
                     A non empty list for this option will internally
                     configure the apex NS RR with associated glue A or
                     AAAA RRs.
                   </p>
 <p>
                     For example, if "example.com" is configured as a
                     static-stub zone with 192.0.2.1 and 2001:db8::1234
                     in a <span><strong class="command">server-addresses</strong></span> option,
                     the following RRs will be internally configured.
                   </p>
 <pre class="programlisting">example.com. NS example.com.
 example.com. A 192.0.2.1
 example.com. AAAA 2001:db8::1234</pre>
 <p>
                     These records are internally used to resolve
                     names under the static-stub zone.
                     For instance, if the server receives a query for
                     "www.example.com" with the RD bit on, the server
                     will initiate recursive resolution and send
                     queries to 192.0.2.1 and/or 2001:db8::1234.
                   </p>
 </dd>
 <dt><span class="term"><span><strong class="command">server-names</strong></span></span></dt>
 <dd>
 <p>
                     Only meaningful for static-stub zones.
                     This is a list of domain names of nameservers that
                     act as authoritative servers of the static-stub
                     zone.
                     These names will be resolved to IP addresses when
                     <span><strong class="command">named</strong></span> needs to send queries to
                     these servers.
                     To make this supplemental resolution successful,
                     these names must not be a subdomain of the origin
                     name of static-stub zone.
                     That is, when "example.net" is the origin of a
                     static-stub zone, "ns.example" and
                     "master.example.com" can be specified in the
                     <span><strong class="command">server-names</strong></span> option, but
                     "ns.example.net" cannot, and will be rejected by
                     the configuration parser.
                   </p>
 <p>
                     A non empty list for this option will internally
                     configure the apex NS RR with the specified names.
                     For example, if "example.com" is configured as a
                     static-stub zone with "ns1.example.net" and
                     "ns2.example.net"
                     in a <span><strong class="command">server-names</strong></span> option,
                     the following RRs will be internally configured.
                   </p>
 <pre class="programlisting">example.com. NS ns1.example.net.
 example.com. NS ns2.example.net.
 </pre>
 <p>
                     These records are internally used to resolve
                     names under the static-stub zone.
                     For instance, if the server receives a query for
                     "www.example.com" with the RD bit on, the server
                     initiate recursive resolution,
                     resolve "ns1.example.net" and/or
                     "ns2.example.net" to IP addresses, and then send
                     queries to (one or more of) these addresses.
                   </p>
 </dd>
 <dt><span class="term"><span><strong class="command">sig-validity-interval</strong></span></span></dt>
 <dd><p>
                     See the description of
                     <span><strong class="command">sig-validity-interval</strong></span> in <a href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called &#8220;Tuning&#8221;</a>.
                   </p></dd>
 <dt><span class="term"><span><strong class="command">sig-signing-nodes</strong></span></span></dt>
 <dd><p>
                     See the description of
                     <span><strong class="command">sig-signing-nodes</strong></span> in <a href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called &#8220;Tuning&#8221;</a>.
                   </p></dd>
 <dt><span class="term"><span><strong class="command">sig-signing-signatures</strong></span></span></dt>
 <dd><p>
                     See the description of
                     <span><strong class="command">sig-signing-signatures</strong></span> in <a href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called &#8220;Tuning&#8221;</a>.
                   </p></dd>
 <dt><span class="term"><span><strong class="command">sig-signing-type</strong></span></span></dt>
 <dd><p>
                     See the description of
                     <span><strong class="command">sig-signing-type</strong></span> in <a href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called &#8220;Tuning&#8221;</a>.
                   </p></dd>
 <dt><span class="term"><span><strong class="command">transfer-source</strong></span></span></dt>
 <dd><p>
                     See the description of
                     <span><strong class="command">transfer-source</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.
                   </p></dd>
 <dt><span class="term"><span><strong class="command">transfer-source-v6</strong></span></span></dt>
 <dd><p>
                     See the description of
                     <span><strong class="command">transfer-source-v6</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.
                   </p></dd>
 <dt><span class="term"><span><strong class="command">alt-transfer-source</strong></span></span></dt>
 <dd><p>
                     See the description of
                     <span><strong class="command">alt-transfer-source</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.
                   </p></dd>
 <dt><span class="term"><span><strong class="command">alt-transfer-source-v6</strong></span></span></dt>
 <dd><p>
                     See the description of
                     <span><strong class="command">alt-transfer-source-v6</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.
                   </p></dd>
 <dt><span class="term"><span><strong class="command">use-alt-transfer-source</strong></span></span></dt>
 <dd><p>
                     See the description of
                     <span><strong class="command">use-alt-transfer-source</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.
                   </p></dd>
 <dt><span class="term"><span><strong class="command">notify-source</strong></span></span></dt>
 <dd><p>
                     See the description of
                     <span><strong class="command">notify-source</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.
                   </p></dd>
 <dt><span class="term"><span><strong class="command">notify-source-v6</strong></span></span></dt>
 <dd><p>
                     See the description of
                     <span><strong class="command">notify-source-v6</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.
                   </p></dd>
 <dt>
 <span class="term"><span><strong class="command">min-refresh-time</strong></span>, </span><span class="term"><span><strong class="command">max-refresh-time</strong></span>, </span><span class="term"><span><strong class="command">min-retry-time</strong></span>, </span><span class="term"><span><strong class="command">max-retry-time</strong></span></span>
 </dt>
 <dd><p>
                     See the description in <a href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called &#8220;Tuning&#8221;</a>.
                   </p></dd>
 <dt><span class="term"><span><strong class="command">ixfr-from-differences</strong></span></span></dt>
 <dd><p>
                     See the description of
                     <span><strong class="command">ixfr-from-differences</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a>.
                     (Note that the <span><strong class="command">ixfr-from-differences</strong></span>
                     <strong class="userinput"><code>master</code></strong> and
                     <strong class="userinput"><code>slave</code></strong> choices are not
                     available at the zone level.)
                   </p></dd>
 <dt><span class="term"><span><strong class="command">key-directory</strong></span></span></dt>
 <dd><p>
                     See the description of
                     <span><strong class="command">key-directory</strong></span> in <a href="Bv9ARM.ch06.html#options" title="options Statement Definition and
           Usage">the section called &#8220;<span><strong class="command">options</strong></span> Statement Definition and
           Usage&#8221;</a>.
                   </p></dd>
 <dt><span class="term"><span><strong class="command">auto-dnssec</strong></span></span></dt>
 <dd>
 <p>
                     Zones configured for dynamic DNS may also use this
                     option to allow varying levels of automatic DNSSEC key
                     management. There are three possible settings:
                   </p>
 <p>
                     <span><strong class="command">auto-dnssec allow;</strong></span> permits
                     keys to be updated and the zone fully re-signed
                     whenever the user issues the command <span><strong class="command">rndc sign
                     <em class="replaceable"><code>zonename</code></em></strong></span>.
                   </p>
 <p>
                     <span><strong class="command">auto-dnssec maintain;</strong></span> includes the
                     above, but also automatically adjusts the zone's DNSSEC
                     keys on schedule, according to the keys' timing metadata
                     (see <a href="man.dnssec-keygen.html" title="dnssec-keygen"><span class="refentrytitle"><span class="application">dnssec-keygen</span></span>(8)</a> and
                     <a href="man.dnssec-settime.html" title="dnssec-settime"><span class="refentrytitle"><span class="application">dnssec-settime</span></span>(8)</a>).  The command
                     <span><strong class="command">rndc sign
                     <em class="replaceable"><code>zonename</code></em></strong></span> causes
                     <span><strong class="command">named</strong></span> to load keys from the key
                     repository and sign the zone with all keys that are
                     active. 
                     <span><strong class="command">rndc loadkeys
                     <em class="replaceable"><code>zonename</code></em></strong></span> causes
                     <span><strong class="command">named</strong></span> to load keys from the key
                     repository and schedule key maintenance events to occur
                     in the future, but it does not sign the full zone
                     immediately.  Note: once keys have been loaded for a
                     zone the first time, the repository will be searched
                     for changes periodically, regardless of whether
                     <span><strong class="command">rndc loadkeys</strong></span> is used.  The recheck
                     interval is defined by
                     <span><strong class="command">dnssec-loadkeys-interval</strong></span>.)
                   </p>
 <p>
                     The default setting is <span><strong class="command">auto-dnssec off</strong></span>.
                   </p>
 </dd>
 <dt><span class="term"><span><strong class="command">serial-update-method</strong></span></span></dt>
 <dd>
 <p>
                     Zones configured for dynamic DNS may use this
                     option to set the update method that will be used for
                     the zone serial number in the SOA record.
                   </p>
 <p>
                     With the default setting of
                     <span><strong class="command">serial-update-method increment;</strong></span>, the
                     SOA serial number will be incremented by one each time
                     the zone is updated.
                   </p>
 <p>
                     When set to 
                     <span><strong class="command">serial-update-method unixtime;</strong></span>, the
                     SOA serial number will be set to the number of seconds
                     since the UNIX epoch, unless the serial number is
                     already greater than or equal to that value, in which
                     case it is simply incremented by one.
                   </p>
 </dd>
 <dt><span class="term"><span><strong class="command">inline-signing</strong></span></span></dt>
 <dd><p>
                     If <code class="literal">yes</code>, this enables
                     "bump in the wire" signing of a zone, where a
                     unsigned zone is transferred in or loaded from
                     disk and a signed version of the zone is served,
                     with possibly, a different serial number.  This
                     behaviour is disabled by default.
                   </p></dd>
 <dt><span class="term"><span><strong class="command">multi-master</strong></span></span></dt>
 <dd><p>
                     See the description of <span><strong class="command">multi-master</strong></span> in
                     <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a>.
                   </p></dd>
 <dt><span class="term"><span><strong class="command">masterfile-format</strong></span></span></dt>
 <dd><p>
                     See the description of <span><strong class="command">masterfile-format</strong></span>
                     in <a href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called &#8220;Tuning&#8221;</a>.
                   </p></dd>
 <dt><span class="term"><span><strong class="command">dnssec-secure-to-insecure</strong></span></span></dt>
 <dd><p>
                     See the description of
                     <span><strong class="command">dnssec-secure-to-insecure</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a>.
                   </p></dd>
 </dl></div>
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="dynamic_update_policies"></a>Dynamic Update Policies</h4></div></div></div>
 <p><acronym class="acronym">BIND</acronym> 9 supports two alternative
               methods of granting clients the right to perform
               dynamic updates to a zone, configured by the
               <span><strong class="command">allow-update</strong></span> and
               <span><strong class="command">update-policy</strong></span> option, respectively.
             </p>
 <p>
               The <span><strong class="command">allow-update</strong></span> clause works the
               same way as in previous versions of <acronym class="acronym">BIND</acronym>.
               It grants given clients the permission to update any
               record of any name in the zone.
             </p>
 <p>
               The <span><strong class="command">update-policy</strong></span> clause
               allows more fine-grained control over what updates are
               allowed.  A set of rules is specified, where each rule
               either grants or denies permissions for one or more
               names to be updated by one or more identities.  If
               the dynamic update request message is signed (that is,
               it includes either a TSIG or SIG(0) record), the
               identity of the signer can be determined.
             </p>
 <p>
               Rules are specified in the <span><strong class="command">update-policy</strong></span>
               zone option, and are only meaningful for master zones.
               When the <span><strong class="command">update-policy</strong></span> statement
               is present, it is a configuration error for the
               <span><strong class="command">allow-update</strong></span> statement to be
               present.  The <span><strong class="command">update-policy</strong></span> statement
               only examines the signer of a message; the source
               address is not relevant.
             </p>
 <p>
               There is a pre-defined <span><strong class="command">update-policy</strong></span>
               rule which can be switched on with the command
               <span><strong class="command">update-policy local;</strong></span>.
               Switching on this rule in a zone causes
               <span><strong class="command">named</strong></span> to generate a TSIG session
               key and place it in a file, and to allow that key
               to update the zone.  (By default, the file is
               <code class="filename">/var/run/named/session.key</code>, the key
               name is "local-ddns" and the key algorithm is HMAC-SHA256,
               but these values are configurable with the
               <span><strong class="command">session-keyfile</strong></span>,
               <span><strong class="command">session-keyname</strong></span> and
               <span><strong class="command">session-keyalg</strong></span> options, respectively).
             </p>
 <p>
               A client running on the local system, and with appropriate
               permissions, may read that file and use the key to sign update
               requests.  The zone's update policy will be set to allow that
               key to change any record within the zone.  Assuming the
               key name is "local-ddns", this policy is equivalent to:
             </p>
 <pre class="programlisting">update-policy { grant local-ddns zonesub any; };
             </pre>
 <p>
               The command <span><strong class="command">nsupdate -l</strong></span> sends update
               requests to localhost, and signs them using the session key.
             </p>
 <p>
               Other rule definitions look like this:
             </p>
 <pre class="programlisting">
 ( <span><strong class="command">grant</strong></span> | <span><strong class="command">deny</strong></span> ) <em class="replaceable"><code>identity</code></em> <em class="replaceable"><code>nametype</code></em> [<span class="optional"> <em class="replaceable"><code>name</code></em> </span>] [<span class="optional"> <em class="replaceable"><code>types</code></em> </span>]
 </pre>
 <p>
               Each rule grants or denies privileges.  Once a message has
               successfully matched a rule, the operation is immediately
               granted or denied and no further rules are examined.  A rule
               is matched when the signer matches the identity field, the
               name matches the name field in accordance with the nametype
               field, and the type matches the types specified in the type
               field.
             </p>
 <p>
               No signer is required for <em class="replaceable"><code>tcp-self</code></em>
               or <em class="replaceable"><code>6to4-self</code></em> however the standard
               reverse mapping / prefix conversion must match the identity
               field.
             </p>
 <p>
               The identity field specifies a name or a wildcard
               name.  Normally, this is the name of the TSIG or
               SIG(0) key used to sign the update request.  When a
               TKEY exchange has been used to create a shared secret,
               the identity of the shared secret is the same as the
               identity of the key used to authenticate the TKEY
               exchange.  TKEY is also the negotiation method used
               by GSS-TSIG, which establishes an identity that is
               the Kerberos principal of the client, such as
               <strong class="userinput"><code>"user@host.domain"</code></strong>.  When the
               <em class="replaceable"><code>identity</code></em> field specifies
               a wildcard name, it is subject to DNS wildcard
               expansion, so the rule will apply to multiple identities.
               The <em class="replaceable"><code>identity</code></em> field must
               contain a fully-qualified domain name.
             </p>
 <p>
               For nametypes <code class="varname">krb5-self</code>,
               <code class="varname">ms-self</code>, <code class="varname">krb5-subdomain</code>,
               and <code class="varname">ms-subdomain</code> the
               <em class="replaceable"><code>identity</code></em> field specifies
               the Windows or Kerberos realm of the machine belongs to.
             </p>
 <p>
               The <em class="replaceable"><code>nametype</code></em> field has 13
               values:
               <code class="varname">name</code>, <code class="varname">subdomain</code>,
               <code class="varname">wildcard</code>, <code class="varname">self</code>,
               <code class="varname">selfsub</code>, <code class="varname">selfwild</code>,
               <code class="varname">krb5-self</code>, <code class="varname">ms-self</code>,
               <code class="varname">krb5-subdomain</code>,
               <code class="varname">ms-subdomain</code>,
               <code class="varname">tcp-self</code>, <code class="varname">6to4-self</code>,
               <code class="varname">zonesub</code>, and <code class="varname">external</code>.
             </p>
 <div class="informaltable"><table border="1">
 <colgroup>
 <col>
 <col>
 </colgroup>
 <tbody>
 <tr>
 <td>
                       <p>
                         <code class="varname">name</code>
                       </p>
                     </td>
 <td>
                       <p>
                         Exact-match semantics.  This rule matches
                         when the name being updated is identical
                         to the contents of the
                         <em class="replaceable"><code>name</code></em> field.
                       </p>
                     </td>
 </tr>
 <tr>
 <td>
                       <p>
                         <code class="varname">subdomain</code>
                       </p>
                     </td>
 <td>
                       <p>
                         This rule matches when the name being updated
                         is a subdomain of, or identical to, the
                         contents of the <em class="replaceable"><code>name</code></em>
                         field.
                       </p>
                     </td>
 </tr>
 <tr>
 <td>
                       <p>
                         <code class="varname">zonesub</code>
                       </p>
                     </td>
 <td>
                       <p>
                         This rule is similar to subdomain, except that
                         it matches when the name being updated is a
                         subdomain of the zone in which the
                         <span><strong class="command">update-policy</strong></span> statement
                         appears.  This obviates the need to type the zone
                         name twice, and enables the use of a standard
                         <span><strong class="command">update-policy</strong></span> statement in
                         multiple zones without modification.
                       </p>
                       <p>
                         When this rule is used, the
                         <em class="replaceable"><code>name</code></em> field is omitted.
                       </p>
                     </td>
 </tr>
 <tr>
 <td>
                       <p>
                         <code class="varname">wildcard</code>
                       </p>
                     </td>
 <td>
                       <p>
                         The <em class="replaceable"><code>name</code></em> field
                         is subject to DNS wildcard expansion, and
                         this rule matches when the name being updated
                         name is a valid expansion of the wildcard.
                       </p>
                     </td>
 </tr>
 <tr>
 <td>
                       <p>
                         <code class="varname">self</code>
                       </p>
                     </td>
 <td>
                       <p>
                         This rule matches when the name being updated
                         matches the contents of the
                         <em class="replaceable"><code>identity</code></em> field.
                         The <em class="replaceable"><code>name</code></em> field
                         is ignored, but should be the same as the
                         <em class="replaceable"><code>identity</code></em> field.
                         The <code class="varname">self</code> nametype is
                         most useful when allowing using one key per
                         name to update, where the key has the same
                         name as the name to be updated.  The
                         <em class="replaceable"><code>identity</code></em> would
                         be specified as <code class="constant">*</code> (an asterisk) in
                         this case.
                       </p>
                     </td>
 </tr>
 <tr>
 <td>
                       <p>
                         <code class="varname">selfsub</code>
                       </p>
                     </td>
 <td>
                       <p>
                         This rule is similar to <code class="varname">self</code>
                         except that subdomains of <code class="varname">self</code>
                         can also be updated.
                       </p>
                     </td>
 </tr>
 <tr>
 <td>
                       <p>
                         <code class="varname">selfwild</code>
                       </p>
                     </td>
 <td>
                       <p>
                         This rule is similar to <code class="varname">self</code>
                         except that only subdomains of
                         <code class="varname">self</code> can be updated.
                       </p>
                     </td>
 </tr>
 <tr>
 <td>
                       <p>
                         <code class="varname">ms-self</code>
                       </p>
                     </td>
 <td>
                       <p>
                         This rule takes a Windows machine principal
                         (machine$@REALM) for machine in REALM and
                         and converts it machine.realm allowing the machine 
                         to update machine.realm.  The REALM to be matched
                         is specified in the <em class="replaceable"><code>identity</code></em>
                         field.
                       </p>
                     </td>
 </tr>
 <tr>
 <td>
                       <p>
                         <code class="varname">ms-subdomain</code>
                       </p>
                     </td>
 <td>
                       <p>
                         This rule takes a Windows machine principal 
                         (machine$@REALM) for machine in REALM and
                         converts it to machine.realm allowing the machine
                         to update subdomains of machine.realm.  The REALM
                         to be matched is specified in the
                         <em class="replaceable"><code>identity</code></em> field.
                       </p>
                     </td>
 </tr>
 <tr>
 <td>
                       <p>
                         <code class="varname">krb5-self</code>
                       </p>
                     </td>
 <td>
                       <p>
                         This rule takes a Kerberos machine principal
                         (host/machine@REALM) for machine in REALM and
                         and converts it machine.realm allowing the machine 
                         to update machine.realm.  The REALM to be matched
                         is specified in the <em class="replaceable"><code>identity</code></em>
                         field.
                       </p>
                     </td>
 </tr>
 <tr>
 <td>
                       <p>
                         <code class="varname">krb5-subdomain</code>
                       </p>
                     </td>
 <td>
                       <p>
                         This rule takes a Kerberos machine principal 
                         (host/machine@REALM) for machine in REALM and
                         converts it to machine.realm allowing the machine
                         to update subdomains of machine.realm.  The REALM
                         to be matched is specified in the
                         <em class="replaceable"><code>identity</code></em> field.
                       </p>
                     </td>
 </tr>
 <tr>
 <td>
                       <p>
                         <code class="varname">tcp-self</code>
                       </p>
                     </td>
 <td>
                       <p>
                         Allow updates that have been sent via TCP and
                         for which the standard mapping from the initiating
                         IP address into the IN-ADDR.ARPA and IP6.ARPA
                         namespaces match the name to be updated.
                       </p>
                       <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
 <h3 class="title">Note</h3>
                         It is theoretically possible to spoof these TCP
                         sessions.
                       </div>
                     </td>
 </tr>
 <tr>
 <td>
                       <p>
                         <code class="varname">6to4-self</code>
                       </p>
                     </td>
 <td>
                       <p>
                         Allow the 6to4 prefix to be update by any TCP
                         connection from the 6to4 network or from the
                         corresponding IPv4 address.  This is intended
                         to allow NS or DNAME RRsets to be added to the
                         reverse tree.
                       </p>
                       <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
 <h3 class="title">Note</h3>
                         It is theoretically possible to spoof these TCP
                         sessions.
                       </div>
                     </td>
 </tr>
 <tr>
 <td>
                       <p>
                         <code class="varname">external</code>
                       </p>
                     </td>
 <td>
                       <p>
                         This rule allows <span><strong class="command">named</strong></span>
                         to defer the decision of whether to allow a
                         given update to an external daemon.
                       </p>
                       <p>
                         The method of communicating with the daemon is
                         specified in the <em class="replaceable"><code>identity</code></em>
                         field, the format of which is
                         "<code class="constant">local:</code><em class="replaceable"><code>path</code></em>",
                         where <em class="replaceable"><code>path</code></em> is the location
                         of a UNIX-domain socket.  (Currently, "local" is the
                         only supported mechanism.)
                       </p>
                       <p>
                         Requests to the external daemon are sent over the
                         UNIX-domain socket as datagrams with the following
                         format:
                       </p>
                       <pre class="programlisting">
    Protocol version number (4 bytes, network byte order, currently 1)
    Request length (4 bytes, network byte order)
    Signer (null-terminated string)
    Name (null-terminated string)
    TCP source address (null-terminated string)
    Rdata type (null-terminated string)
    Key (null-terminated string)
    TKEY token length (4 bytes, network byte order)
    TKEY token (remainder of packet)</pre>
                       <p>
                         The daemon replies with a four-byte value in
                         network byte order, containing either 0 or 1; 0
                         indicates that the specified update is not
                         permitted, and 1 indicates that it is.
                       </p>
                     </td>
 </tr>
 </tbody>
 </table></div>
 <p>
               In all cases, the <em class="replaceable"><code>name</code></em>
               field must specify a fully-qualified domain name.
             </p>
 <p>
               If no types are explicitly specified, this rule matches
               all types except RRSIG, NS, SOA, NSEC and NSEC3. Types
               may be specified by name, including "ANY" (ANY matches
               all types except NSEC and NSEC3, which can never be
               updated).  Note that when an attempt is made to delete
               all records associated with a name, the rules are
               checked for each existing record type.
             </p>
 </div>
 </div>
 </div>
 <div class="sect1" lang="en">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
 <a name="id2596605"></a>Zone File</h2></div></div></div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="types_of_resource_records_and_when_to_use_them"></a>Types of Resource Records and When to Use Them</h3></div></div></div>
 <p>
             This section, largely borrowed from RFC 1034, describes the
             concept of a Resource Record (RR) and explains when each is used.
             Since the publication of RFC 1034, several new RRs have been
             identified
             and implemented in the DNS. These are also included.
           </p>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="id2596624"></a>Resource Records</h4></div></div></div>
 <p>
               A domain name identifies a node.  Each node has a set of
               resource information, which may be empty.  The set of resource
               information associated with a particular name is composed of
               separate RRs. The order of RRs in a set is not significant and
               need not be preserved by name servers, resolvers, or other
               parts of the DNS. However, sorting of multiple RRs is
               permitted for optimization purposes, for example, to specify
               that a particular nearby server be tried first. See <a href="Bv9ARM.ch06.html#the_sortlist_statement" title="The sortlist Statement">the section called &#8220;The <span><strong class="command">sortlist</strong></span> Statement&#8221;</a> and <a href="Bv9ARM.ch06.html#rrset_ordering" title="RRset Ordering">the section called &#8220;RRset Ordering&#8221;</a>.
             </p>
 <p>
               The components of a Resource Record are:
             </p>
 <div class="informaltable"><table border="1">
 <colgroup>
 <col>
 <col>
 </colgroup>
 <tbody>
 <tr>
 <td>
                       <p>
                         owner name
                       </p>
                     </td>
 <td>
                       <p>
                         The domain name where the RR is found.
                       </p>
                     </td>
 </tr>
 <tr>
 <td>
                       <p>
                         type
                       </p>
                     </td>
 <td>
                       <p>
                         An encoded 16-bit value that specifies
                         the type of the resource record.
                       </p>
                     </td>
 </tr>
 <tr>
 <td>
                       <p>
                         TTL
                       </p>
                     </td>
 <td>
                       <p>
                         The time-to-live of the RR. This field
                         is a 32-bit integer in units of seconds, and is
                         primarily used by
                         resolvers when they cache RRs. The TTL describes how
                         long a RR can
                         be cached before it should be discarded.
                       </p>
                     </td>
 </tr>
 <tr>
 <td>
                       <p>
                         class
                       </p>
                     </td>
 <td>
                       <p>
                         An encoded 16-bit value that identifies
                         a protocol family or instance of a protocol.
                       </p>
                     </td>
 </tr>
 <tr>
 <td>
                       <p>
                         RDATA
                       </p>
                     </td>
 <td>
                       <p>
                         The resource data.  The format of the
                         data is type (and sometimes class) specific.
                       </p>
                     </td>
 </tr>
 </tbody>
 </table></div>
 <p>
               The following are <span class="emphasis"><em>types</em></span> of valid RRs:
             </p>
 <div class="informaltable"><table border="1">
 <colgroup>
 <col>
 <col>
 </colgroup>
 <tbody>
 <tr>
 <td>
                       <p>
                         A
                       </p>
                     </td>
 <td>
                       <p>
                         A host address.  In the IN class, this is a
                         32-bit IP address.  Described in RFC 1035.
                       </p>
                     </td>
 </tr>
 <tr>
 <td>
                       <p>
                         AAAA
                       </p>
                     </td>
 <td>
                       <p>
                         IPv6 address.  Described in RFC 1886.
                       </p>
                     </td>
 </tr>
 <tr>
 <td>
                       <p>
                         A6
                       </p>
                     </td>
 <td>
                       <p>
                         IPv6 address.  This can be a partial
                         address (a suffix) and an indirection to the name
                         where the rest of the
                         address (the prefix) can be found.  Experimental.
                         Described in RFC 2874.
                       </p>
                     </td>
 </tr>
 <tr>
 <td>
                       <p>
                         AFSDB
                       </p>
                     </td>
 <td>
                       <p>
                         Location of AFS database servers.
                         Experimental.  Described in RFC 1183.
                       </p>
                     </td>
 </tr>
 <tr>
 <td>
                       <p>
                         APL
                       </p>
                     </td>
 <td>
                       <p>
                         Address prefix list.  Experimental.
                         Described in RFC 3123.
                       </p>
                     </td>
 </tr>
 <tr>
 <td>
                       <p>
                         CERT
                       </p>
                     </td>
 <td>
                       <p>
                         Holds a digital certificate.
                         Described in RFC 2538.
                       </p>
                     </td>
 </tr>
 <tr>
 <td>
                       <p>
                         CNAME
                       </p>
                     </td>
 <td>
                       <p>
                         Identifies the canonical name of an alias.
                         Described in RFC 1035.
                       </p>
                     </td>
 </tr>
 <tr>
 <td>
                       <p>
                         DHCID
                       </p>
                     </td>
 <td>
                       <p>
                         Is used for identifying which DHCP client is
                         associated with this name.  Described in RFC 4701.
                       </p>
                     </td>
 </tr>
 <tr>
 <td>
                       <p>
                         DNAME
                       </p>
                     </td>
 <td>
                       <p>
                         Replaces the domain name specified with
                         another name to be looked up, effectively aliasing an
                         entire
                         subtree of the domain name space rather than a single
                         record
                         as in the case of the CNAME RR.
                         Described in RFC 2672.
                       </p>
                     </td>
 </tr>
 <tr>
 <td>
                       <p>
                         DNSKEY
                       </p>
                     </td>
 <td>
                       <p>
                         Stores a public key associated with a signed
                         DNS zone.  Described in RFC 4034.
                       </p>
                     </td>
 </tr>
 <tr>
 <td>
                       <p>
                         DS
                       </p>
                     </td>
 <td>
                       <p>
                         Stores the hash of a public key associated with a
                         signed DNS zone.  Described in RFC 4034.
                       </p>
                     </td>
 </tr>
 <tr>
 <td>
                       <p>
                         GPOS
                       </p>
                     </td>
 <td>
                       <p>
                         Specifies the global position.  Superseded by LOC.
                       </p>
                     </td>
 </tr>
 <tr>
 <td>
                       <p>
                         HINFO
                       </p>
                     </td>
 <td>
                       <p>
                         Identifies the CPU and OS used by a host.
                         Described in RFC 1035.
                       </p>
                     </td>
 </tr>
 <tr>
 <td>
                       <p>
                         IPSECKEY
                       </p>
                     </td>
 <td>
                       <p>
                         Provides a method for storing IPsec keying material in
                         DNS.  Described in RFC 4025.
                       </p>
                     </td>
 </tr>
 <tr>
 <td>
                       <p>
                         ISDN
                       </p>
                     </td>
 <td>
                       <p>
                         Representation of ISDN addresses.
                         Experimental.  Described in RFC 1183.
                       </p>
                     </td>
 </tr>
 <tr>
 <td>
                       <p>
                         KEY
                       </p>
                     </td>
 <td>
                       <p>
                         Stores a public key associated with a
                         DNS name.  Used in original DNSSEC; replaced
                         by DNSKEY in DNSSECbis, but still used with
                         SIG(0).  Described in RFCs 2535 and 2931.
                       </p>
                     </td>
 </tr>
 <tr>
 <td>
                       <p>
                         KX
                       </p>
                     </td>
 <td>
                       <p>
                         Identifies a key exchanger for this
                         DNS name.  Described in RFC 2230.
                       </p>
                     </td>
 </tr>
 <tr>
 <td>
                       <p>
                         LOC
                       </p>
                     </td>
 <td>
                       <p>
                         For storing GPS info.  Described in RFC 1876.
                         Experimental.
                       </p>
                     </td>
 </tr>
 <tr>
 <td>
                       <p>
                         MX
                       </p>
                     </td>
 <td>
                       <p>
                         Identifies a mail exchange for the domain with
                         a 16-bit preference value (lower is better)
                         followed by the host name of the mail exchange.
                         Described in RFC 974, RFC 1035.
                       </p>
                     </td>
 </tr>
 <tr>
 <td>
                       <p>
                         NAPTR
                       </p>
                     </td>
 <td>
                       <p>
                         Name authority pointer.  Described in RFC 2915.
                       </p>
                     </td>
 </tr>
 <tr>
 <td>
                       <p>
                         NSAP
                       </p>
                     </td>
 <td>
                       <p>
                         A network service access point.
                         Described in RFC 1706.
                       </p>
                     </td>
 </tr>
 <tr>
 <td>
                       <p>
                         NS
                       </p>
                     </td>
 <td>
                       <p>
                         The authoritative name server for the
                         domain.  Described in RFC 1035.
                       </p>
                     </td>
 </tr>
 <tr>
 <td>
                       <p>
                         NSEC
                       </p>
                     </td>
 <td>
                       <p>
                         Used in DNSSECbis to securely indicate that
                         RRs with an owner name in a certain name interval do
                         not exist in
                         a zone and indicate what RR types are present for an
                         existing name.
                         Described in RFC 4034.
                       </p>
                     </td>
 </tr>
 <tr>
 <td>
                       <p>
                         NSEC3
                       </p>
                     </td>
 <td>
                       <p>
                         Used in DNSSECbis to securely indicate that
                         RRs with an owner name in a certain name
                         interval do not exist in a zone and indicate
                         what RR types are present for an existing
                         name.  NSEC3 differs from NSEC in that it
                         prevents zone enumeration but is more
                         computationally expensive on both the server
                         and the client than NSEC.  Described in RFC
                         5155.
                       </p>
                     </td>
 </tr>
 <tr>
 <td>
                       <p>
                         NSEC3PARAM
                       </p>
                     </td>
 <td>
                       <p>
                         Used in DNSSECbis to tell the authoritative
                         server which NSEC3 chains are available to use.
                         Described in RFC 5155.
                       </p>
                     </td>
 </tr>
 <tr>
 <td>
                       <p>
                         NXT
                       </p>
                     </td>
 <td>
                       <p>
                         Used in DNSSEC to securely indicate that
                         RRs with an owner name in a certain name interval do
                         not exist in
                         a zone and indicate what RR types are present for an
                         existing name.
                         Used in original DNSSEC; replaced by NSEC in
                         DNSSECbis.
                         Described in RFC 2535.
                       </p>
                     </td>
 </tr>
 <tr>
 <td>
                       <p>
                         PTR
                       </p>
                     </td>
 <td>
                       <p>
                         A pointer to another part of the domain
                         name space.  Described in RFC 1035.
                       </p>
                     </td>
 </tr>
 <tr>
 <td>
                       <p>
                         PX
                       </p>
                     </td>
 <td>
                       <p>
                         Provides mappings between RFC 822 and X.400
                         addresses.  Described in RFC 2163.
                       </p>
                     </td>
 </tr>
 <tr>
 <td>
                       <p>
                         RP
                       </p>
                     </td>
 <td>
                       <p>
                         Information on persons responsible
                         for the domain.  Experimental.  Described in RFC 1183.
                       </p>
                     </td>
 </tr>
 <tr>
 <td>
                       <p>
                         RRSIG
                       </p>
                     </td>
 <td>
                       <p>
                         Contains DNSSECbis signature data.  Described
                         in RFC 4034.
                       </p>
                     </td>
 </tr>
 <tr>
 <td>
                       <p>
                         RT
                       </p>
                     </td>
 <td>
                       <p>
                         Route-through binding for hosts that
                         do not have their own direct wide area network
                         addresses.
                         Experimental.  Described in RFC 1183.
                       </p>
                     </td>
 </tr>
 <tr>
 <td>
                       <p>
                         SIG
                       </p>
                     </td>
 <td>
                       <p>
                         Contains DNSSEC signature data.  Used in
                         original DNSSEC; replaced by RRSIG in
                         DNSSECbis, but still used for SIG(0).
                         Described in RFCs 2535 and 2931.
                       </p>
                     </td>
 </tr>
 <tr>
 <td>
                       <p>
                         SOA
                       </p>
                     </td>
 <td>
                       <p>
                         Identifies the start of a zone of authority.
                         Described in RFC 1035.
                       </p>
                     </td>
 </tr>
 <tr>
 <td>
                       <p>
                         SPF
                       </p>
                     </td>
 <td>
                       <p>
                         Contains the Sender Policy Framework information
                         for a given email domain.  Described in RFC 4408.
                       </p>
                     </td>
 </tr>
 <tr>
 <td>
                       <p>
                         SRV
                       </p>
                     </td>
 <td>
                       <p>
                         Information about well known network
                         services (replaces WKS).  Described in RFC 2782.
                       </p>
                     </td>
 </tr>
 <tr>
 <td>
                       <p>
                         SSHFP
                       </p>
                     </td>
 <td>
                       <p>
                         Provides a way to securely publish a secure shell key's
                         fingerprint.  Described in RFC 4255.
                       </p>
                     </td>
 </tr>
 <tr>
 <td>
                       <p>
                         TXT
                       </p>
                     </td>
 <td>
                       <p>
                         Text records.  Described in RFC 1035.
                       </p>
                     </td>
 </tr>
 <tr>
 <td>
                       <p>
                         WKS
                       </p>
                     </td>
 <td>
                       <p>
                         Information about which well known
                         network services, such as SMTP, that a domain
                         supports. Historical.
                       </p>
                     </td>
 </tr>
 <tr>
 <td>
                       <p>
                         X25
                       </p>
                     </td>
 <td>
                       <p>
                         Representation of X.25 network addresses.
                         Experimental.  Described in RFC 1183.
                       </p>
                     </td>
 </tr>
 </tbody>
 </table></div>
 <p>
               The following <span class="emphasis"><em>classes</em></span> of resource records
               are currently valid in the DNS:
             </p>
 <div class="informaltable"><table border="1">
 <colgroup>
 <col>
 <col>
 </colgroup>
 <tbody>
 <tr>
 <td>
                       <p>
                         IN
                       </p>
                     </td>
 <td>
                       <p>
                         The Internet.
                       </p>
                     </td>
 </tr>
 <tr>
 <td>
                       <p>
                         CH
                       </p>
                     </td>
 <td>
                       <p>
                         Chaosnet, a LAN protocol created at MIT in the
                         mid-1970s.
                         Rarely used for its historical purpose, but reused for
                         BIND's
                         built-in server information zones, e.g.,
                         <code class="literal">version.bind</code>.
                       </p>
                     </td>
 </tr>
 <tr>
 <td>
                       <p>
                         HS
                       </p>
                     </td>
 <td>
                       <p>
                         Hesiod, an information service
                         developed by MIT's Project Athena. It is used to share
                         information
                         about various systems databases, such as users,
                         groups, printers
                         and so on.
                       </p>
                     </td>
 </tr>
 </tbody>
 </table></div>
 <p>
               The owner name is often implicit, rather than forming an
               integral
               part of the RR.  For example, many name servers internally form
               tree
               or hash structures for the name space, and chain RRs off nodes.
               The remaining RR parts are the fixed header (type, class, TTL)
               which is consistent for all RRs, and a variable part (RDATA)
               that
               fits the needs of the resource being described.
             </p>
 <p>
               The meaning of the TTL field is a time limit on how long an
               RR can be kept in a cache.  This limit does not apply to
               authoritative
               data in zones; it is also timed out, but by the refreshing
               policies
               for the zone.  The TTL is assigned by the administrator for the
               zone where the data originates.  While short TTLs can be used to
               minimize caching, and a zero TTL prohibits caching, the
               realities
               of Internet performance suggest that these times should be on
               the
               order of days for the typical host.  If a change can be
               anticipated,
               the TTL can be reduced prior to the change to minimize
               inconsistency
               during the change, and then increased back to its former value
               following
               the change.
             </p>
 <p>
               The data in the RDATA section of RRs is carried as a combination
               of binary strings and domain names.  The domain names are
               frequently
               used as "pointers" to other data in the DNS.
             </p>
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="id2598247"></a>Textual expression of RRs</h4></div></div></div>
 <p>
               RRs are represented in binary form in the packets of the DNS
               protocol, and are usually represented in highly encoded form
               when
               stored in a name server or resolver.  In the examples provided
               in
               RFC 1034, a style similar to that used in master files was
               employed
               in order to show the contents of RRs.  In this format, most RRs
               are shown on a single line, although continuation lines are
               possible
               using parentheses.
             </p>
 <p>
               The start of the line gives the owner of the RR.  If a line
               begins with a blank, then the owner is assumed to be the same as
               that of the previous RR.  Blank lines are often included for
               readability.
             </p>
 <p>
               Following the owner, we list the TTL, type, and class of the
               RR.  Class and type use the mnemonics defined above, and TTL is
               an integer before the type field.  In order to avoid ambiguity
               in
               parsing, type and class mnemonics are disjoint, TTLs are
               integers,
               and the type mnemonic is always last. The IN class and TTL
               values
               are often omitted from examples in the interests of clarity.
             </p>
 <p>
               The resource data or RDATA section of the RR are given using
               knowledge of the typical representation for the data.
             </p>
 <p>
               For example, we might show the RRs carried in a message as:
             </p>
 <div class="informaltable"><table border="1">
 <colgroup>
 <col>
 <col>
 <col>
 </colgroup>
 <tbody>
 <tr>
 <td>
                       <p>
                         <code class="literal">ISI.EDU.</code>
                       </p>
                     </td>
 <td>
                       <p>
                         <code class="literal">MX</code>
                       </p>
                     </td>
 <td>
                       <p>
                         <code class="literal">10 VENERA.ISI.EDU.</code>
                       </p>
                     </td>
 </tr>
 <tr>
 <td>
                       <p></p>
                     </td>
 <td>
                       <p>
                         <code class="literal">MX</code>
                       </p>
                     </td>
 <td>
                       <p>
                         <code class="literal">10 VAXA.ISI.EDU</code>
                       </p>
                     </td>
 </tr>
 <tr>
 <td>
                       <p>
                         <code class="literal">VENERA.ISI.EDU</code>
                       </p>
                     </td>
 <td>
                       <p>
                         <code class="literal">A</code>
                       </p>
                     </td>
 <td>
                       <p>
                         <code class="literal">128.9.0.32</code>
                       </p>
                     </td>
 </tr>
 <tr>
 <td>
                       <p></p>
                     </td>
 <td>
                       <p>
                         <code class="literal">A</code>
                       </p>
                     </td>
 <td>
                       <p>
                         <code class="literal">10.1.0.52</code>
                       </p>
                     </td>
 </tr>
 <tr>
 <td>
                       <p>
                         <code class="literal">VAXA.ISI.EDU</code>
                       </p>
                     </td>
 <td>
                       <p>
                         <code class="literal">A</code>
                       </p>
                     </td>
 <td>
                       <p>
                         <code class="literal">10.2.0.27</code>
                       </p>
                     </td>
 </tr>
 <tr>
 <td>
                       <p></p>
                     </td>
 <td>
                       <p>
                         <code class="literal">A</code>
                       </p>
                     </td>
 <td>
                       <p>
                         <code class="literal">128.9.0.33</code>
                       </p>
                     </td>
 </tr>
 </tbody>
 </table></div>
 <p>
               The MX RRs have an RDATA section which consists of a 16-bit
               number followed by a domain name.  The address RRs use a
               standard
               IP address format to contain a 32-bit internet address.
             </p>
 <p>
               The above example shows six RRs, with two RRs at each of three
               domain names.
             </p>
 <p>
               Similarly we might see:
             </p>
 <div class="informaltable"><table border="1">
 <colgroup>
 <col>
 <col>
 <col>
 </colgroup>
 <tbody>
 <tr>
 <td>
                       <p>
                         <code class="literal">XX.LCS.MIT.EDU.</code>
                       </p>
                     </td>
 <td>
                       <p>
                         <code class="literal">IN A</code>
                       </p>
                     </td>
 <td>
                       <p>
                         <code class="literal">10.0.0.44</code>
                       </p>
                     </td>
 </tr>
 <tr>
 <td> </td>
 <td>
                       <p>
                         <code class="literal">CH A</code>
                       </p>
                     </td>
 <td>
                       <p>
                         <code class="literal">MIT.EDU. 2420</code>
                       </p>
                     </td>
 </tr>
 </tbody>
 </table></div>
 <p>
               This example shows two addresses for
               <code class="literal">XX.LCS.MIT.EDU</code>, each of a different class.
             </p>
 </div>
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="id2598768"></a>Discussion of MX Records</h3></div></div></div>
 <p>
             As described above, domain servers store information as a
             series of resource records, each of which contains a particular
             piece of information about a given domain name (which is usually,
             but not always, a host). The simplest way to think of a RR is as
             a typed pair of data, a domain name matched with a relevant datum,
             and stored with some additional type information to help systems
             determine when the RR is relevant.
           </p>
 <p>
             MX records are used to control delivery of email. The data
             specified in the record is a priority and a domain name. The
             priority
             controls the order in which email delivery is attempted, with the
             lowest number first. If two priorities are the same, a server is
             chosen randomly. If no servers at a given priority are responding,
             the mail transport agent will fall back to the next largest
             priority.
             Priority numbers do not have any absolute meaning &#8212; they are
             relevant
             only respective to other MX records for that domain name. The
             domain
             name given is the machine to which the mail will be delivered.
             It <span class="emphasis"><em>must</em></span> have an associated address record
             (A or AAAA) &#8212; CNAME is not sufficient.
           </p>
 <p>
             For a given domain, if there is both a CNAME record and an
             MX record, the MX record is in error, and will be ignored.
             Instead,
             the mail will be delivered to the server specified in the MX
             record
             pointed to by the CNAME.
             For example:
           </p>
 <div class="informaltable"><table border="1">
 <colgroup>
 <col>
 <col>
 <col>
 <col>
 <col>
 </colgroup>
 <tbody>
 <tr>
 <td>
                     <p>
                       <code class="literal">example.com.</code>
                     </p>
                   </td>
 <td>
                     <p>
                       <code class="literal">IN</code>
                     </p>
                   </td>
 <td>
                     <p>
                       <code class="literal">MX</code>
                     </p>
                   </td>
 <td>
                     <p>
                       <code class="literal">10</code>
                     </p>
                   </td>
 <td>
                     <p>
                       <code class="literal">mail.example.com.</code>
                     </p>
                   </td>
 </tr>
 <tr>
 <td>
                     <p></p>
                   </td>
 <td>
                     <p>
                       <code class="literal">IN</code>
                     </p>
                   </td>
 <td>
                     <p>
                       <code class="literal">MX</code>
                     </p>
                   </td>
 <td>
                     <p>
                       <code class="literal">10</code>
                     </p>
                   </td>
 <td>
                     <p>
                       <code class="literal">mail2.example.com.</code>
                     </p>
                   </td>
 </tr>
 <tr>
 <td>
                     <p></p>
                   </td>
 <td>
                     <p>
                       <code class="literal">IN</code>
                     </p>
                   </td>
 <td>
                     <p>
                       <code class="literal">MX</code>
                     </p>
                   </td>
 <td>
                     <p>
                       <code class="literal">20</code>
                     </p>
                   </td>
 <td>
                     <p>
                       <code class="literal">mail.backup.org.</code>
                     </p>
                   </td>
 </tr>
 <tr>
 <td>
                     <p>
                       <code class="literal">mail.example.com.</code>
                     </p>
                   </td>
 <td>
                     <p>
                       <code class="literal">IN</code>
                     </p>
                   </td>
 <td>
                     <p>
                       <code class="literal">A</code>
                     </p>
                   </td>
 <td>
                     <p>
                       <code class="literal">10.0.0.1</code>
                     </p>
                   </td>
 <td>
                     <p></p>
                   </td>
 </tr>
 <tr>
 <td>
                     <p>
                       <code class="literal">mail2.example.com.</code>
                     </p>
                   </td>
 <td>
                     <p>
                       <code class="literal">IN</code>
                     </p>
                   </td>
 <td>
                     <p>
                       <code class="literal">A</code>
                     </p>
                   </td>
 <td>
                     <p>
                       <code class="literal">10.0.0.2</code>
                     </p>
                   </td>
 <td>
                     <p></p>
                   </td>
 </tr>
 </tbody>
 </table></div>
 <p>
             Mail delivery will be attempted to <code class="literal">mail.example.com</code> and
             <code class="literal">mail2.example.com</code> (in
             any order), and if neither of those succeed, delivery to <code class="literal">mail.backup.org</code> will
             be attempted.
           </p>
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="Setting_TTLs"></a>Setting TTLs</h3></div></div></div>
 <p>
             The time-to-live of the RR field is a 32-bit integer represented
             in units of seconds, and is primarily used by resolvers when they
             cache RRs. The TTL describes how long a RR can be cached before it
             should be discarded. The following three types of TTL are
             currently
             used in a zone file.
           </p>
 <div class="informaltable"><table border="1">
 <colgroup>
 <col>
 <col>
 </colgroup>
 <tbody>
 <tr>
 <td>
                     <p>
                       SOA
                     </p>
                   </td>
 <td>
                     <p>
                       The last field in the SOA is the negative
                       caching TTL. This controls how long other servers will
                       cache no-such-domain
                       (NXDOMAIN) responses from you.
                     </p>
                     <p>
                       The maximum time for
                       negative caching is 3 hours (3h).
                     </p>
                   </td>
 </tr>
 <tr>
 <td>
                     <p>
                       $TTL
                     </p>
                   </td>
 <td>
                     <p>
                       The $TTL directive at the top of the
                       zone file (before the SOA) gives a default TTL for every
                       RR without
                       a specific TTL set.
                     </p>
                   </td>
 </tr>
 <tr>
 <td>
                     <p>
                       RR TTLs
                     </p>
                   </td>
 <td>
                     <p>
                       Each RR can have a TTL as the second
                       field in the RR, which will control how long other
                       servers can cache it.
                     </p>
                   </td>
 </tr>
 </tbody>
 </table></div>
 <p>
             All of these TTLs default to units of seconds, though units
             can be explicitly specified, for example, <code class="literal">1h30m</code>.
           </p>
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="id2599451"></a>Inverse Mapping in IPv4</h3></div></div></div>
 <p>
             Reverse name resolution (that is, translation from IP address
             to name) is achieved by means of the <span class="emphasis"><em>in-addr.arpa</em></span> domain
             and PTR records. Entries in the in-addr.arpa domain are made in
             least-to-most significant order, read left to right. This is the
             opposite order to the way IP addresses are usually written. Thus,
             a machine with an IP address of 10.1.2.3 would have a
             corresponding
             in-addr.arpa name of
             3.2.1.10.in-addr.arpa. This name should have a PTR resource record
             whose data field is the name of the machine or, optionally,
             multiple
             PTR records if the machine has more than one name. For example,
             in the [<span class="optional">example.com</span>] domain:
           </p>
 <div class="informaltable"><table border="1">
 <colgroup>
 <col>
 <col>
 </colgroup>
 <tbody>
 <tr>
 <td>
                     <p>
                       <code class="literal">$ORIGIN</code>
                     </p>
                   </td>
 <td>
                     <p>
                       <code class="literal">2.1.10.in-addr.arpa</code>
                     </p>
                   </td>
 </tr>
 <tr>
 <td>
                     <p>
                       <code class="literal">3</code>
                     </p>
                   </td>
 <td>
                     <p>
                       <code class="literal">IN PTR foo.example.com.</code>
                     </p>
                   </td>
 </tr>
 </tbody>
 </table></div>
 <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
 <h3 class="title">Note</h3>
 <p>
               The <span><strong class="command">$ORIGIN</strong></span> lines in the examples
               are for providing context to the examples only &#8212; they do not
               necessarily
               appear in the actual usage. They are only used here to indicate
               that the example is relative to the listed origin.
             </p>
 </div>
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="id2599578"></a>Other Zone File Directives</h3></div></div></div>
 <p>
             The Master File Format was initially defined in RFC 1035 and
             has subsequently been extended. While the Master File Format
             itself
             is class independent all records in a Master File must be of the
             same
             class.
           </p>
 <p>
             Master File Directives include <span><strong class="command">$ORIGIN</strong></span>, <span><strong class="command">$INCLUDE</strong></span>,
             and <span><strong class="command">$TTL.</strong></span>
           </p>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="id2599601"></a>The <span><strong class="command">@</strong></span> (at-sign)</h4></div></div></div>
 <p>
               When used in the label (or name) field, the asperand or
               at-sign (@) symbol represents the current origin.
               At the start of the zone file, it is the 
               &lt;<code class="varname">zone_name</code>&gt; (followed by
               trailing dot).
             </p>
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="id2599617"></a>The <span><strong class="command">$ORIGIN</strong></span> Directive</h4></div></div></div>
 <p>
               Syntax: <span><strong class="command">$ORIGIN</strong></span>
               <em class="replaceable"><code>domain-name</code></em>
               [<span class="optional"><em class="replaceable"><code>comment</code></em></span>]
             </p>
 <p><span><strong class="command">$ORIGIN</strong></span>
               sets the domain name that will be appended to any
               unqualified records. When a zone is first read in there
               is an implicit <span><strong class="command">$ORIGIN</strong></span>
               &lt;<code class="varname">zone_name</code>&gt;<span><strong class="command">.</strong></span>
               (followed by trailing dot).
               The current <span><strong class="command">$ORIGIN</strong></span> is appended to
               the domain specified in the <span><strong class="command">$ORIGIN</strong></span>
               argument if it is not absolute.
             </p>
 <pre class="programlisting">
 $ORIGIN example.com.
 WWW     CNAME   MAIN-SERVER
 </pre>
 <p>
               is equivalent to
             </p>
 <pre class="programlisting">
 WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
 </pre>
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="id2599746"></a>The <span><strong class="command">$INCLUDE</strong></span> Directive</h4></div></div></div>
 <p>
               Syntax: <span><strong class="command">$INCLUDE</strong></span>
               <em class="replaceable"><code>filename</code></em>
               [<span class="optional">
 <em class="replaceable"><code>origin</code></em> </span>]
               [<span class="optional"> <em class="replaceable"><code>comment</code></em> </span>]
             </p>
 <p>
               Read and process the file <code class="filename">filename</code> as
               if it were included into the file at this point.  If <span><strong class="command">origin</strong></span> is
               specified the file is processed with <span><strong class="command">$ORIGIN</strong></span> set
               to that value, otherwise the current <span><strong class="command">$ORIGIN</strong></span> is
               used.
             </p>
 <p>
               The origin and the current domain name
               revert to the values they had prior to the <span><strong class="command">$INCLUDE</strong></span> once
               the file has been read.
             </p>
 <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
 <h3 class="title">Note</h3>
 <p>
                 RFC 1035 specifies that the current origin should be restored
                 after
                 an <span><strong class="command">$INCLUDE</strong></span>, but it is silent
                 on whether the current
                 domain name should also be restored.  BIND 9 restores both of
                 them.
                 This could be construed as a deviation from RFC 1035, a
                 feature, or both.
               </p>
 </div>
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="id2599815"></a>The <span><strong class="command">$TTL</strong></span> Directive</h4></div></div></div>
 <p>
               Syntax: <span><strong class="command">$TTL</strong></span>
               <em class="replaceable"><code>default-ttl</code></em>
               [<span class="optional">
 <em class="replaceable"><code>comment</code></em> </span>]
             </p>
 <p>
               Set the default Time To Live (TTL) for subsequent records
               with undefined TTLs. Valid TTLs are of the range 0-2147483647
               seconds.
             </p>
 <p><span><strong class="command">$TTL</strong></span>
                is defined in RFC 2308.
             </p>
 </div>
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="id2599851"></a><acronym class="acronym">BIND</acronym> Master File Extension: the  <span><strong class="command">$GENERATE</strong></span> Directive</h3></div></div></div>
 <p>
             Syntax: <span><strong class="command">$GENERATE</strong></span>
             <em class="replaceable"><code>range</code></em>
             <em class="replaceable"><code>lhs</code></em>
             [<span class="optional"><em class="replaceable"><code>ttl</code></em></span>]
             [<span class="optional"><em class="replaceable"><code>class</code></em></span>]
             <em class="replaceable"><code>type</code></em>
             <em class="replaceable"><code>rhs</code></em>
             [<span class="optional"><em class="replaceable"><code>comment</code></em></span>]
           </p>
 <p><span><strong class="command">$GENERATE</strong></span>
             is used to create a series of resource records that only
             differ from each other by an
             iterator. <span><strong class="command">$GENERATE</strong></span> can be used to
             easily generate the sets of records required to support
             sub /24 reverse delegations described in RFC 2317:
             Classless IN-ADDR.ARPA delegation.
           </p>
 <pre class="programlisting">$ORIGIN 0.0.192.IN-ADDR.ARPA.
 $GENERATE 1-2 @ NS SERVER$.EXAMPLE.
 $GENERATE 1-127 $ CNAME $.0</pre>
 <p>
             is equivalent to
           </p>
 <pre class="programlisting">0.0.0.192.IN-ADDR.ARPA. NS SERVER1.EXAMPLE.
 0.0.0.192.IN-ADDR.ARPA. NS SERVER2.EXAMPLE.
 1.0.0.192.IN-ADDR.ARPA. CNAME 1.0.0.0.192.IN-ADDR.ARPA.
 2.0.0.192.IN-ADDR.ARPA. CNAME 2.0.0.0.192.IN-ADDR.ARPA.
 ...
 127.0.0.192.IN-ADDR.ARPA. CNAME 127.0.0.0.192.IN-ADDR.ARPA.
 </pre>
 <p>
             Generate a set of A and MX records.  Note the MX's right hand
             side is a quoted string.  The quotes will be stripped when the
             right hand side is processed.
            </p>
 <pre class="programlisting">
 $ORIGIN EXAMPLE.
 $GENERATE 1-127 HOST-$ A 1.2.3.$
 $GENERATE 1-127 HOST-$ MX "0 ."</pre>
 <p>
             is equivalent to
           </p>
 <pre class="programlisting">HOST-1.EXAMPLE.   A  1.2.3.1
 HOST-1.EXAMPLE.   MX 0 .
 HOST-2.EXAMPLE.   A  1.2.3.2
 HOST-2.EXAMPLE.   MX 0 .
 HOST-3.EXAMPLE.   A  1.2.3.3
 HOST-3.EXAMPLE.   MX 0 .
 ...
 HOST-127.EXAMPLE. A  1.2.3.127
 HOST-127.EXAMPLE. MX 0 .
 </pre>
 <div class="informaltable"><table border="1">
 <colgroup>
 <col>
 <col>
 </colgroup>
 <tbody>
 <tr>
 <td>
                     <p><span><strong class="command">range</strong></span></p>
                   </td>
 <td>
                     <p>
                       This can be one of two forms: start-stop
                       or start-stop/step. If the first form is used, then step
                       is set to 1. start, stop and step must be positive
                       integers between 0 and (2^31)-1. start must not be
                       larger than stop.
                     </p>
                   </td>
 </tr>
 <tr>
 <td>
                     <p><span><strong class="command">lhs</strong></span></p>
                   </td>
 <td>
                     <p>This
                       describes the owner name of the resource records
                       to be created.  Any single <span><strong class="command">$</strong></span>
                       (dollar sign)
                       symbols within the <span><strong class="command">lhs</strong></span> string
                       are replaced by the iterator value.
 
                       To get a $ in the output, you need to escape the
                       <span><strong class="command">$</strong></span> using a backslash
                       <span><strong class="command">\</strong></span>,
                       e.g. <span><strong class="command">\$</strong></span>. The
                       <span><strong class="command">$</strong></span> may optionally be followed
                       by modifiers which change the offset from the
                       iterator, field width and base.
 
                       Modifiers are introduced by a
                       <span><strong class="command">{</strong></span> (left brace) immediately following the
                       <span><strong class="command">$</strong></span> as
                       <span><strong class="command">${offset[,width[,base]]}</strong></span>.
                       For example, <span><strong class="command">${-20,3,d}</strong></span>
                       subtracts 20 from the current value, prints the
                       result as a decimal in a zero-padded field of
                       width 3.
 
                       Available output forms are decimal
                       (<span><strong class="command">d</strong></span>), octal
                       (<span><strong class="command">o</strong></span>), hexadecimal
                       (<span><strong class="command">x</strong></span> or <span><strong class="command">X</strong></span>
                       for uppercase) and nibble
                       (<span><strong class="command">n</strong></span> or <span><strong class="command">N</strong></span>\
                       for uppercase).  The default modifier is
                       <span><strong class="command">${0,0,d}</strong></span>.  If the
                       <span><strong class="command">lhs</strong></span> is not absolute, the
                       current <span><strong class="command">$ORIGIN</strong></span> is appended
                       to the name.
                     </p>
                     <p>
                       In nibble mode the value will be treated as
                       if it was a reversed hexadecimal string
                       with each hexadecimal digit as a separate
                       label.  The width field includes the label
                       separator.
                     </p>
                     <p>
                       For compatibility with earlier versions,
                       <span><strong class="command">$$</strong></span> is still recognized as
                       indicating a literal $ in the output.
                     </p>
                   </td>
 </tr>
 <tr>
 <td>
                     <p><span><strong class="command">ttl</strong></span></p>
                   </td>
 <td>
                     <p>
                       Specifies the time-to-live of the generated records. If
                       not specified this will be inherited using the
                       normal TTL inheritance rules.
                     </p>
                     <p><span><strong class="command">class</strong></span>
                       and <span><strong class="command">ttl</strong></span> can be
                       entered in either order.
                     </p>
                   </td>
 </tr>
 <tr>
 <td>
                     <p><span><strong class="command">class</strong></span></p>
                   </td>
 <td>
                     <p>
                       Specifies the class of the generated records.
                       This must match the zone class if it is
                       specified.
                     </p>
                     <p><span><strong class="command">class</strong></span>
                       and <span><strong class="command">ttl</strong></span> can be
                       entered in either order.
                     </p>
                   </td>
 </tr>
 <tr>
 <td>
                     <p><span><strong class="command">type</strong></span></p>
                   </td>
 <td>
                     <p>
                       Any valid type.
                     </p>
                   </td>
 </tr>
 <tr>
 <td>
                     <p><span><strong class="command">rhs</strong></span></p>
                   </td>
 <td>
                     <p>
                       <span><strong class="command">rhs</strong></span>, optionally, quoted string.
                     </p>
                   </td>
 </tr>
 </tbody>
 </table></div>
 <p>
             The <span><strong class="command">$GENERATE</strong></span> directive is a <acronym class="acronym">BIND</acronym> extension
             and not part of the standard zone file format.
           </p>
 <p>
             BIND 8 does not support the optional TTL and CLASS fields.
           </p>
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="zonefile_format"></a>Additional File Formats</h3></div></div></div>
 <p>
             In addition to the standard textual format, BIND 9
             supports the ability to read or dump to zone files in
             other formats.  The <code class="constant">raw</code> format is
             currently available as an additional format.  It is a
             binary format representing BIND 9's internal data
             structure directly, thereby remarkably improving the
             loading time.
           </p>
 <p>
             For a primary server, a zone file in the
             <code class="constant">raw</code> format is expected to be
             generated from a textual zone file by the
             <span><strong class="command">named-compilezone</strong></span> command.  For a
             secondary server or for a dynamic zone, it is automatically
             generated (if this format is specified by the
             <span><strong class="command">masterfile-format</strong></span> option) when
             <span><strong class="command">named</strong></span> dumps the zone contents after
             zone transfer or when applying prior updates.
           </p>
 <p>
             If a zone file in a binary format needs manual modification,
             it first must be converted to a textual form by the
             <span><strong class="command">named-compilezone</strong></span> command.  All
             necessary modification should go to the text file, which
             should then be converted to the binary form by the
             <span><strong class="command">named-compilezone</strong></span> command again.
           </p>
 <p>
              Although the <code class="constant">raw</code> format uses the
              network byte order and avoids architecture-dependent
              data alignment so that it is as much portable as
              possible, it is primarily expected to be used inside
              the same single system.  In order to export a zone
              file in the <code class="constant">raw</code> format or make a
              portable backup of the file, it is recommended to
              convert the file to the standard textual representation.
           </p>
 </div>
 </div>
 <div class="sect1" lang="en">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
 <a name="statistics"></a>BIND9 Statistics</h2></div></div></div>
 <p>
           <acronym class="acronym">BIND</acronym> 9 maintains lots of statistics
           information and provides several interfaces for users to
           get access to the statistics.
           The available statistics include all statistics counters
           that were available in <acronym class="acronym">BIND</acronym> 8 and
           are meaningful in <acronym class="acronym">BIND</acronym> 9,
           and other information that is considered useful.
         </p>
 <p>
           The statistics information is categorized into the following
           sections.
         </p>
 <div class="informaltable"><table border="1">
 <colgroup>
 <col>
 <col>
 </colgroup>
 <tbody>
 <tr>
 <td>
                   <p>Incoming Requests</p>
                 </td>
 <td>
                   <p>
                     The number of incoming DNS requests for each OPCODE.
                   </p>
                 </td>
 </tr>
 <tr>
 <td>
                   <p>Incoming Queries</p>
                 </td>
 <td>
                   <p>
                     The number of incoming queries for each RR type.
                   </p>
                 </td>
 </tr>
 <tr>
 <td>
                   <p>Outgoing Queries</p>
                 </td>
 <td>
                   <p>
                     The number of outgoing queries for each RR
                     type sent from the internal resolver.
                     Maintained per view.
                   </p>
                 </td>
 </tr>
 <tr>
 <td>
                   <p>Name Server Statistics</p>
                 </td>
 <td>
                   <p>
                     Statistics counters about incoming request processing.
                   </p>
                 </td>
 </tr>
 <tr>
 <td>
                   <p>Zone Maintenance Statistics</p>
                 </td>
 <td>
                   <p>
                     Statistics counters regarding zone maintenance
                     operations such as zone transfers.
                   </p>
                 </td>
 </tr>
 <tr>
 <td>
                   <p>Resolver Statistics</p>
                 </td>
 <td>
                   <p>
                     Statistics counters about name resolution
                     performed in the internal resolver.
                     Maintained per view.
                   </p>
                 </td>
 </tr>
 <tr>
 <td>
                   <p>Cache DB RRsets</p>
                 </td>
 <td>
                   <p>
                     The number of RRsets per RR type and nonexistent
                     names stored in the cache database.
                     If the exclamation mark (!) is printed for a RR
                     type, it means that particular type of RRset is
                     known to be nonexistent (this is also known as
                     "NXRRSET").
                     Maintained per view.
                   </p>
                 </td>
 </tr>
 <tr>
 <td>
                   <p>Socket I/O Statistics</p>
                 </td>
 <td>
                   <p>
                     Statistics counters about network related events.
                   </p>
                 </td>
 </tr>
 </tbody>
 </table></div>
 <p>
           A subset of Name Server Statistics is collected and shown
           per zone for which the server has the authority when
           <span><strong class="command">zone-statistics</strong></span> is set to
           <strong class="userinput"><code>yes</code></strong>.
           These statistics counters are shown with their zone and view
           names.
           In some cases the view names are omitted for the default view.
         </p>
 <p>
           There are currently two user interfaces to get access to the
           statistics.
           One is in the plain text format dumped to the file specified
           by the <span><strong class="command">statistics-file</strong></span> configuration option.
           The other is remotely accessible via a statistics channel
           when the <span><strong class="command">statistics-channels</strong></span> statement
           is specified in the configuration file
           (see <a href="Bv9ARM.ch06.html#statschannels" title="statistics-channels Statement Grammar">the section called &#8220;<span><strong class="command">statistics-channels</strong></span> Statement Grammar&#8221;</a>.)
         </p>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="statsfile"></a>The Statistics File</h4></div></div></div>
 <p>
             The text format statistics dump begins with a line, like:
           </p>
 <p>
             <span><strong class="command">+++ Statistics Dump +++ (973798949)</strong></span>
           </p>
 <p>
             The number in parentheses is a standard
             Unix-style timestamp, measured as seconds since January 1, 1970.
 
             Following
             that line is a set of statistics information, which is categorized
             as described above.
             Each section begins with a line, like:
           </p>
 <p>
             <span><strong class="command">++ Name Server Statistics ++</strong></span>
           </p>
 <p>
             Each section consists of lines, each containing the statistics
             counter value followed by its textual description.
             See below for available counters.
             For brevity, counters that have a value of 0 are not shown
             in the statistics file.
           </p>
 <p>
             The statistics dump ends with the line where the
             number is identical to the number in the beginning line; for example:
           </p>
 <p>
             <span><strong class="command">--- Statistics Dump --- (973798949)</strong></span>
           </p>
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="statistics_counters"></a>Statistics Counters</h3></div></div></div>
 <p>
             The following tables summarize statistics counters that
             <acronym class="acronym">BIND</acronym> 9 provides.
             For each row of the tables, the leftmost column is the
             abbreviated symbol name of that counter.
             These symbols are shown in the statistics information
             accessed via an HTTP statistics channel.
             The rightmost column gives the description of the counter,
             which is also shown in the statistics file
             (but, in this document, possibly with slight modification
             for better readability).
             Additional notes may also be provided in this column.
             When a middle column exists between these two columns,
             it gives the corresponding counter name of the
             <acronym class="acronym">BIND</acronym> 8 statistics, if applicable.
           </p>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="id2600941"></a>Name Server Statistics Counters</h4></div></div></div>
 <div class="informaltable"><table border="1">
 <colgroup>
 <col>
 <col>
 <col>
 </colgroup>
 <tbody>
 <tr>
 <td>
                       <p>
                         <span class="emphasis"><em>Symbol</em></span>
                       </p>
                     </td>
 <td>
                       <p>
                         <span class="emphasis"><em>BIND8 Symbol</em></span>
                       </p>
                     </td>
 <td>
                       <p>
                         <span class="emphasis"><em>Description</em></span>
                       </p>
                     </td>
 </tr>
 <tr>
 <td>
                       <p><span><strong class="command">Requestv4</strong></span></p>
                     </td>
 <td>
                       <p><span><strong class="command">RQ</strong></span></p>
                     </td>
 <td>
                       <p>
                         IPv4 requests received.
                         Note: this also counts non query requests.
                       </p>
                     </td>
 </tr>
 <tr>
 <td>
                       <p><span><strong class="command">Requestv6</strong></span></p>
                     </td>
 <td>
                       <p><span><strong class="command">RQ</strong></span></p>
                     </td>
 <td>
                       <p>
                         IPv6 requests received.
                         Note: this also counts non query requests.
                       </p>
                     </td>
 </tr>
 <tr>
 <td>
                       <p><span><strong class="command">ReqEdns0</strong></span></p>
                     </td>
 <td>
                       <p><span><strong class="command"></strong></span></p>
                     </td>
 <td>
                       <p>
                         Requests with EDNS(0) received.
                       </p>
                     </td>
 </tr>
 <tr>
 <td>
                       <p><span><strong class="command">ReqBadEDNSVer</strong></span></p>
                     </td>
 <td>
                       <p><span><strong class="command"></strong></span></p>
                     </td>
 <td>
                       <p>
                         Requests with unsupported EDNS version received.
                       </p>
                     </td>
 </tr>
 <tr>
 <td>
                       <p><span><strong class="command">ReqTSIG</strong></span></p>
                     </td>
 <td>
                       <p><span><strong class="command"></strong></span></p>
                     </td>
 <td>
                       <p>
                         Requests with TSIG received.
                       </p>
                     </td>
 </tr>
 <tr>
 <td>
                       <p><span><strong class="command">ReqSIG0</strong></span></p>
                     </td>
 <td>
                       <p><span><strong class="command"></strong></span></p>
                     </td>
 <td>
                       <p>
                         Requests with SIG(0) received.
                       </p>
                     </td>
 </tr>
 <tr>
 <td>
                       <p><span><strong class="command">ReqBadSIG</strong></span></p>
                     </td>
 <td>
                       <p><span><strong class="command"></strong></span></p>
                     </td>
 <td>
                       <p>
                         Requests with invalid (TSIG or SIG(0)) signature.
                       </p>
                     </td>
 </tr>
 <tr>
 <td>
                       <p><span><strong class="command">ReqTCP</strong></span></p>
                     </td>
 <td>
                       <p><span><strong class="command">RTCP</strong></span></p>
                     </td>
 <td>
                       <p>
                         TCP requests received.
                       </p>
                     </td>
 </tr>
 <tr>
 <td>
                       <p><span><strong class="command">AuthQryRej</strong></span></p>
                     </td>
 <td>
                       <p><span><strong class="command">RUQ</strong></span></p>
                     </td>
 <td>
                       <p>
                         Authoritative (non recursive) queries rejected.
                       </p>
                     </td>
 </tr>
 <tr>
 <td>
                       <p><span><strong class="command">RecQryRej</strong></span></p>
                     </td>
 <td>
                       <p><span><strong class="command">RURQ</strong></span></p>
                     </td>
 <td>
                       <p>
                         Recursive queries rejected.
                       </p>
                     </td>
 </tr>
 <tr>
 <td>
                       <p><span><strong class="command">XfrRej</strong></span></p>
                     </td>
 <td>
                       <p><span><strong class="command">RUXFR</strong></span></p>
                     </td>
 <td>
                       <p>
                         Zone transfer requests rejected.
                       </p>
                     </td>
 </tr>
 <tr>
 <td>
                       <p><span><strong class="command">UpdateRej</strong></span></p>
                     </td>
 <td>
                       <p><span><strong class="command">RUUpd</strong></span></p>
                     </td>
 <td>
                       <p>
                         Dynamic update requests rejected.
                       </p>
                     </td>
 </tr>
 <tr>
 <td>
                       <p><span><strong class="command">Response</strong></span></p>
                     </td>
 <td>
                       <p><span><strong class="command">SAns</strong></span></p>
                     </td>
 <td>
                       <p>
                         Responses sent.
                       </p>
                     </td>
 </tr>
 <tr>
 <td>
                       <p><span><strong class="command">RespTruncated</strong></span></p>
                     </td>
 <td>
                       <p><span><strong class="command"></strong></span></p>
                     </td>
 <td>
                       <p>
                         Truncated responses sent.
                       </p>
                     </td>
 </tr>
 <tr>
 <td>
                       <p><span><strong class="command">RespEDNS0</strong></span></p>
                     </td>
 <td>
                       <p><span><strong class="command"></strong></span></p>
                     </td>
 <td>
                       <p>
                         Responses with EDNS(0) sent.
                       </p>
                     </td>
 </tr>
 <tr>
 <td>
                       <p><span><strong class="command">RespTSIG</strong></span></p>
                     </td>
 <td>
                       <p><span><strong class="command"></strong></span></p>
                     </td>
 <td>
                       <p>
                         Responses with TSIG sent.
                       </p>
                     </td>
 </tr>
 <tr>
 <td>
                       <p><span><strong class="command">RespSIG0</strong></span></p>
                     </td>
 <td>
                       <p><span><strong class="command"></strong></span></p>
                     </td>
 <td>
                       <p>
                         Responses with SIG(0) sent.
                       </p>
                     </td>
 </tr>
 <tr>
 <td>
                       <p><span><strong class="command">QrySuccess</strong></span></p>
                     </td>
 <td>
                       <p><span><strong class="command"></strong></span></p>
                     </td>
 <td>
                       <p>
                         Queries resulted in a successful answer.
                         This means the query which returns a NOERROR response
                         with at least one answer RR.
                         This corresponds to the
                         <span><strong class="command">success</strong></span> counter
                         of previous versions of
                         <acronym class="acronym">BIND</acronym> 9.
                       </p>
                     </td>
 </tr>
 <tr>
 <td>
                       <p><span><strong class="command">QryAuthAns</strong></span></p>
                     </td>
 <td>
                       <p><span><strong class="command"></strong></span></p>
                     </td>
 <td>
                       <p>
                         Queries resulted in authoritative answer.
                       </p>
                     </td>
 </tr>
 <tr>
 <td>
                       <p><span><strong class="command">QryNoauthAns</strong></span></p>
                     </td>
 <td>
                       <p><span><strong class="command">SNaAns</strong></span></p>
                     </td>
 <td>
                       <p>
                         Queries resulted in non authoritative answer.
                       </p>
                     </td>
 </tr>
 <tr>
 <td>
                       <p><span><strong class="command">QryReferral</strong></span></p>
                     </td>
 <td>
                       <p><span><strong class="command"></strong></span></p>
                     </td>
 <td>
                       <p>
                         Queries resulted in referral answer.
                         This corresponds to the
                         <span><strong class="command">referral</strong></span> counter
                         of previous versions of
                         <acronym class="acronym">BIND</acronym> 9.
                       </p>
                     </td>
 </tr>
 <tr>
 <td>
                       <p><span><strong class="command">QryNxrrset</strong></span></p>
                     </td>
 <td>
                       <p><span><strong class="command"></strong></span></p>
                     </td>
 <td>
                       <p>
                         Queries resulted in NOERROR responses with no data.
                         This corresponds to the
                         <span><strong class="command">nxrrset</strong></span> counter
                         of previous versions of
                         <acronym class="acronym">BIND</acronym> 9.
                       </p>
                     </td>
 </tr>
 <tr>
 <td>
                       <p><span><strong class="command">QrySERVFAIL</strong></span></p>
                     </td>
 <td>
                       <p><span><strong class="command">SFail</strong></span></p>
                     </td>
 <td>
                       <p>
                         Queries resulted in SERVFAIL.
                       </p>
                     </td>
 </tr>
 <tr>
 <td>
                       <p><span><strong class="command">QryFORMERR</strong></span></p>
                     </td>
 <td>
                       <p><span><strong class="command">SFErr</strong></span></p>
                     </td>
 <td>
                       <p>
                         Queries resulted in FORMERR.
                       </p>
                     </td>
 </tr>
 <tr>
 <td>
                       <p><span><strong class="command">QryNXDOMAIN</strong></span></p>
                     </td>
 <td>
                       <p><span><strong class="command">SNXD</strong></span></p>
                     </td>
 <td>
                       <p>
                         Queries resulted in NXDOMAIN.
                         This corresponds to the
                         <span><strong class="command">nxdomain</strong></span> counter
                         of previous versions of
                         <acronym class="acronym">BIND</acronym> 9.
                       </p>
                     </td>
 </tr>
 <tr>
 <td>
                       <p><span><strong class="command">QryRecursion</strong></span></p>
                     </td>
 <td>
                       <p><span><strong class="command">RFwdQ</strong></span></p>
                     </td>
 <td>
                       <p>
                         Queries which caused the server
                         to perform recursion in order to find the final answer.
                         This corresponds to the
                         <span><strong class="command">recursion</strong></span> counter
                         of previous versions of
                         <acronym class="acronym">BIND</acronym> 9.
                       </p>
                     </td>
 </tr>
 <tr>
 <td>
                       <p><span><strong class="command">QryDuplicate</strong></span></p>
                     </td>
 <td>
                       <p><span><strong class="command">RDupQ</strong></span></p>
                     </td>
 <td>
                       <p>
                         Queries which the server attempted to
                         recurse but discovered an existing query with the same
                         IP address, port, query ID, name, type and class
                         already being processed.
                         This corresponds to the
                         <span><strong class="command">duplicate</strong></span> counter
                         of previous versions of
                         <acronym class="acronym">BIND</acronym> 9.
                       </p>
                     </td>
 </tr>
 <tr>
 <td>
                       <p><span><strong class="command">QryDropped</strong></span></p>
                     </td>
 <td>
                       <p><span><strong class="command"></strong></span></p>
                     </td>
 <td>
                       <p>
                         Recursive queries for which the server
                         discovered an excessive number of existing
                         recursive queries for the same name, type and
                         class and were subsequently dropped.
                         This is the number of dropped queries due to
                         the reason explained with the
                         <span><strong class="command">clients-per-query</strong></span>
                         and
                         <span><strong class="command">max-clients-per-query</strong></span>
                         options
                         (see the description about
                         <a href="Bv9ARM.ch06.html#clients-per-query"><span><strong class="command">clients-per-query</strong></span></a>.)
                         This corresponds to the
                         <span><strong class="command">dropped</strong></span> counter
                         of previous versions of
                         <acronym class="acronym">BIND</acronym> 9.
                       </p>
                     </td>
 </tr>
 <tr>
 <td>
                       <p><span><strong class="command">QryFailure</strong></span></p>
                     </td>
 <td>
                       <p><span><strong class="command"></strong></span></p>
                     </td>
 <td>
                       <p>
                         Other query failures.
                         This corresponds to the
                         <span><strong class="command">failure</strong></span> counter
                         of previous versions of
                         <acronym class="acronym">BIND</acronym> 9.
                         Note: this counter is provided mainly for
                         backward compatibility with the previous versions.
                         Normally a more fine-grained counters such as
                         <span><strong class="command">AuthQryRej</strong></span> and
                         <span><strong class="command">RecQryRej</strong></span>
                         that would also fall into this counter are provided,
                         and so this counter would not be of much
                         interest in practice.
                       </p>
                     </td>
 </tr>
 <tr>
 <td>
                       <p><span><strong class="command">XfrReqDone</strong></span></p>
                     </td>
 <td>
                       <p><span><strong class="command"></strong></span></p>
                     </td>
 <td>
                       <p>
                         Requested zone transfers completed.
                       </p>
                     </td>
 </tr>
 <tr>
 <td>
                       <p><span><strong class="command">UpdateReqFwd</strong></span></p>
                     </td>
 <td>
                       <p><span><strong class="command"></strong></span></p>
                     </td>
 <td>
                       <p>
                         Update requests forwarded.
                       </p>
                     </td>
 </tr>
 <tr>
 <td>
                       <p><span><strong class="command">UpdateRespFwd</strong></span></p>
                     </td>
 <td>
                       <p><span><strong class="command"></strong></span></p>
                     </td>
 <td>
                       <p>
                         Update responses forwarded.
                       </p>
                     </td>
 </tr>
 <tr>
 <td>
                       <p><span><strong class="command">UpdateFwdFail</strong></span></p>
                     </td>
 <td>
                       <p><span><strong class="command"></strong></span></p>
                     </td>
 <td>
                       <p>
                         Dynamic update forward failed.
                       </p>
                     </td>
 </tr>
 <tr>
 <td>
                       <p><span><strong class="command">UpdateDone</strong></span></p>
                     </td>
 <td>
                       <p><span><strong class="command"></strong></span></p>
                     </td>
 <td>
                       <p>
                         Dynamic updates completed.
                       </p>
                     </td>
 </tr>
 <tr>
 <td>
                       <p><span><strong class="command">UpdateFail</strong></span></p>
                     </td>
 <td>
                       <p><span><strong class="command"></strong></span></p>
                     </td>
 <td>
                       <p>
                         Dynamic updates failed.
                       </p>
                     </td>
 </tr>
 <tr>
 <td>
                       <p><span><strong class="command">UpdateBadPrereq</strong></span></p>
                     </td>
 <td>
                       <p><span><strong class="command"></strong></span></p>
                     </td>
 <td>
                       <p>
                         Dynamic updates rejected due to prerequisite failure.
                       </p>
                     </td>
 </tr>
 <tr>
 <td>
                       <p><span><strong class="command">RPZRewrites</strong></span></p>
                     </td>
 <td>
                       <p><span><strong class="command"></strong></span></p>
                     </td>
 <td>
                       <p>
                         Response policy zone rewrites.
                       </p>
                     </td>
 </tr>
 <tr>
 <td>
                       <p><span><strong class="command">RateDropped</strong></span></p>
                     </td>
 <td>
                       <p><span><strong class="command"></strong></span></p>
                     </td>
 <td>
                       <p>
                         Responses dropped by rate limits.
                       </p>
                     </td>
 </tr>
 <tr>
 <td>
                       <p><span><strong class="command">RateSlipped</strong></span></p>
                     </td>
 <td>
                       <p><span><strong class="command"></strong></span></p>
                     </td>
 <td>
                       <p>
                         Responses truncated by rate limits.
                       </p>
                     </td>
 </tr>
 </tbody>
 </table></div>
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="id2602510"></a>Zone Maintenance Statistics Counters</h4></div></div></div>
 <div class="informaltable"><table border="1">
 <colgroup>
 <col>
 <col>
 </colgroup>
 <tbody>
 <tr>
 <td>
                       <p>
                         <span class="emphasis"><em>Symbol</em></span>
                       </p>
                     </td>
 <td>
                       <p>
                         <span class="emphasis"><em>Description</em></span>
                       </p>
                     </td>
 </tr>
 <tr>
 <td>
                       <p><span><strong class="command">NotifyOutv4</strong></span></p>
                     </td>
 <td>
                       <p>
                         IPv4 notifies sent.
                       </p>
                     </td>
 </tr>
 <tr>
 <td>
                       <p><span><strong class="command">NotifyOutv6</strong></span></p>
                     </td>
 <td>
                       <p>
                         IPv6 notifies sent.
                       </p>
                     </td>
 </tr>
 <tr>
 <td>
                       <p><span><strong class="command">NotifyInv4</strong></span></p>
                     </td>
 <td>
                       <p>
                         IPv4 notifies received.
                       </p>
                     </td>
 </tr>
 <tr>
 <td>
                       <p><span><strong class="command">NotifyInv6</strong></span></p>
                     </td>
 <td>
                       <p>
                         IPv6 notifies received.
                       </p>
                     </td>
 </tr>
 <tr>
 <td>
                       <p><span><strong class="command">NotifyRej</strong></span></p>
                     </td>
 <td>
                       <p>
                         Incoming notifies rejected.
                       </p>
                     </td>
 </tr>
 <tr>
 <td>
                       <p><span><strong class="command">SOAOutv4</strong></span></p>
                     </td>
 <td>
                       <p>
                         IPv4 SOA queries sent.
                       </p>
                     </td>
 </tr>
 <tr>
 <td>
                       <p><span><strong class="command">SOAOutv6</strong></span></p>
                     </td>
 <td>
                       <p>
                         IPv6 SOA queries sent.
                       </p>
                     </td>
 </tr>
 <tr>
 <td>
                       <p><span><strong class="command">AXFRReqv4</strong></span></p>
                     </td>
 <td>
                       <p>
                         IPv4 AXFR requested.
                       </p>
                     </td>
 </tr>
 <tr>
 <td>
                       <p><span><strong class="command">AXFRReqv6</strong></span></p>
                     </td>
 <td>
                       <p>
                         IPv6 AXFR requested.
                       </p>
                     </td>
 </tr>
 <tr>
 <td>
                       <p><span><strong class="command">IXFRReqv4</strong></span></p>
                     </td>
 <td>
                       <p>
                         IPv4 IXFR requested.
                       </p>
                     </td>
 </tr>
 <tr>
 <td>
                       <p><span><strong class="command">IXFRReqv6</strong></span></p>
                     </td>
 <td>
                       <p>
                         IPv6 IXFR requested.
                       </p>
                     </td>
 </tr>
 <tr>
 <td>
                       <p><span><strong class="command">XfrSuccess</strong></span></p>
                     </td>
 <td>
                       <p>
                         Zone transfer requests succeeded.
                       </p>
                     </td>
 </tr>
 <tr>
 <td>
                       <p><span><strong class="command">XfrFail</strong></span></p>
                     </td>
 <td>
                       <p>
                         Zone transfer requests failed.
                       </p>
                     </td>
 </tr>
 </tbody>
 </table></div>
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="id2602962"></a>Resolver Statistics Counters</h4></div></div></div>
 <div class="informaltable"><table border="1">
 <colgroup>
 <col>
 <col>
 <col>
 </colgroup>
 <tbody>
 <tr>
 <td>
                       <p>
                         <span class="emphasis"><em>Symbol</em></span>
                       </p>
                     </td>
 <td>
                       <p>
                         <span class="emphasis"><em>BIND8 Symbol</em></span>
                       </p>
                     </td>
 <td>
                       <p>
                         <span class="emphasis"><em>Description</em></span>
                       </p>
                     </td>
 </tr>
 <tr>
 <td>
                       <p><span><strong class="command">Queryv4</strong></span></p>
                     </td>
 <td>
                       <p><span><strong class="command">SFwdQ</strong></span></p>
                     </td>
 <td>
                       <p>
                         IPv4 queries sent.
                       </p>
                     </td>
 </tr>
 <tr>
 <td>
                       <p><span><strong class="command">Queryv6</strong></span></p>
                     </td>
 <td>
                       <p><span><strong class="command">SFwdQ</strong></span></p>
                     </td>
 <td>
                       <p>
                         IPv6 queries sent.
                       </p>
                     </td>
 </tr>
 <tr>
 <td>
                       <p><span><strong class="command">Responsev4</strong></span></p>
                     </td>
 <td>
                       <p><span><strong class="command">RR</strong></span></p>
                     </td>
 <td>
                       <p>
                         IPv4 responses received.
                       </p>
                     </td>
 </tr>
 <tr>
 <td>
                       <p><span><strong class="command">Responsev6</strong></span></p>
                     </td>
 <td>
                       <p><span><strong class="command">RR</strong></span></p>
                     </td>
 <td>
                       <p>
                         IPv6 responses received.
                       </p>
                     </td>
 </tr>
 <tr>
 <td>
                       <p><span><strong class="command">NXDOMAIN</strong></span></p>
                     </td>
 <td>
                       <p><span><strong class="command">RNXD</strong></span></p>
                     </td>
 <td>
                       <p>
                         NXDOMAIN received.
                       </p>
                     </td>
 </tr>
 <tr>
 <td>
                       <p><span><strong class="command">SERVFAIL</strong></span></p>
                     </td>
 <td>
                       <p><span><strong class="command">RFail</strong></span></p>
                     </td>
 <td>
                       <p>
                         SERVFAIL received.
                       </p>
                     </td>
 </tr>
 <tr>
 <td>
                       <p><span><strong class="command">FORMERR</strong></span></p>
                     </td>
 <td>
                       <p><span><strong class="command">RFErr</strong></span></p>
                     </td>
 <td>
                       <p>
                         FORMERR received.
                       </p>
                     </td>
 </tr>
 <tr>
 <td>
                       <p><span><strong class="command">OtherError</strong></span></p>
                     </td>
 <td>
                       <p><span><strong class="command">RErr</strong></span></p>
                     </td>
 <td>
                       <p>
                         Other errors received.
                       </p>
                     </td>
 </tr>
 <tr>
 <td>
                       <p><span><strong class="command">EDNS0Fail</strong></span></p>
                                                  </td>
 <td>
                       <p><span><strong class="command"></strong></span></p>
                     </td>
 <td>
                       <p>
                         EDNS(0) query failures.
                       </p>
                     </td>
 </tr>
 <tr>
 <td>
                       <p><span><strong class="command">Mismatch</strong></span></p>
                     </td>
 <td>
                       <p><span><strong class="command">RDupR</strong></span></p>
                     </td>
 <td>
                       <p>
                         Mismatch responses received.
                         The DNS ID, response's source address,
                         and/or the response's source port does not
                         match what was expected.
                         (The port must be 53 or as defined by
                         the <span><strong class="command">port</strong></span> option.)
                         This may be an indication of a cache
                         poisoning attempt.
                       </p>
                     </td>
 </tr>
 <tr>
 <td>
                       <p><span><strong class="command">Truncated</strong></span></p>
                     </td>
 <td>
                       <p><span><strong class="command"></strong></span></p>
                     </td>
 <td>
                       <p>
                         Truncated responses received.
                       </p>
                     </td>
 </tr>
 <tr>
 <td>
                       <p><span><strong class="command">Lame</strong></span></p>
                     </td>
 <td>
                       <p><span><strong class="command">RLame</strong></span></p>
                     </td>
 <td>
                       <p>
                         Lame delegations received.
                       </p>
                     </td>
 </tr>
 <tr>
 <td>
                       <p><span><strong class="command">Retry</strong></span></p>
                     </td>
 <td>
                       <p><span><strong class="command">SDupQ</strong></span></p>
                     </td>
 <td>
                       <p>
                         Query retries performed.
                       </p>
                     </td>
 </tr>
 <tr>
 <td>
                       <p><span><strong class="command">QueryAbort</strong></span></p>
                     </td>
 <td>
                       <p><span><strong class="command"></strong></span></p>
                     </td>
 <td>
                       <p>
                         Queries aborted due to quota control.
                       </p>
                     </td>
 </tr>
 <tr>
 <td>
                       <p><span><strong class="command">QuerySockFail</strong></span></p>
                     </td>
 <td>
                       <p><span><strong class="command"></strong></span></p>
                     </td>
 <td>
                       <p>
                         Failures in opening query sockets.
                         One common reason for such failures is a
                         failure of opening a new socket due to a
                         limitation on file descriptors.
                       </p>
                     </td>
 </tr>
 <tr>
 <td>
                       <p><span><strong class="command">QueryTimeout</strong></span></p>
                     </td>
 <td>
                       <p><span><strong class="command"></strong></span></p>
                     </td>
 <td>
                       <p>
                         Query timeouts.
                       </p>
                     </td>
 </tr>
 <tr>
 <td>
                       <p><span><strong class="command">GlueFetchv4</strong></span></p>
                     </td>
 <td>
                       <p><span><strong class="command">SSysQ</strong></span></p>
                     </td>
 <td>
                       <p>
                         IPv4 NS address fetches invoked.
                       </p>
                     </td>
 </tr>
 <tr>
 <td>
                       <p><span><strong class="command">GlueFetchv6</strong></span></p>
                     </td>
 <td>
                       <p><span><strong class="command">SSysQ</strong></span></p>
                     </td>
 <td>
                       <p>
                         IPv6 NS address fetches invoked.
                       </p>
                     </td>
 </tr>
 <tr>
 <td>
                       <p><span><strong class="command">GlueFetchv4Fail</strong></span></p>
                     </td>
 <td>
                       <p><span><strong class="command"></strong></span></p>
                     </td>
 <td>
                       <p>
                         IPv4 NS address fetch failed.
                       </p>
                     </td>
 </tr>
 <tr>
 <td>
                       <p><span><strong class="command">GlueFetchv6Fail</strong></span></p>
                     </td>
 <td>
                       <p><span><strong class="command"></strong></span></p>
                     </td>
 <td>
                       <p>
                         IPv6 NS address fetch failed.
                       </p>
                     </td>
 </tr>
 <tr>
 <td>
                       <p><span><strong class="command">ValAttempt</strong></span></p>
                     </td>
 <td>
                       <p><span><strong class="command"></strong></span></p>
                     </td>
 <td>
                       <p>
                         DNSSEC validation attempted.
                       </p>
                     </td>
 </tr>
 <tr>
 <td>
                       <p><span><strong class="command">ValOk</strong></span></p>
                     </td>
 <td>
                       <p><span><strong class="command"></strong></span></p>
                     </td>
 <td>
                       <p>
                         DNSSEC validation succeeded.
                       </p>
                     </td>
 </tr>
 <tr>
 <td>
                       <p><span><strong class="command">ValNegOk</strong></span></p>
                     </td>
 <td>
                       <p><span><strong class="command"></strong></span></p>
                     </td>
 <td>
                       <p>
                         DNSSEC validation on negative information succeeded.
                       </p>
                     </td>
 </tr>
 <tr>
 <td>
                       <p><span><strong class="command">ValFail</strong></span></p>
                     </td>
 <td>
                       <p><span><strong class="command"></strong></span></p>
                     </td>
 <td>
                       <p>
                         DNSSEC validation failed.
                       </p>
                     </td>
 </tr>
 <tr>
 <td>
                       <p><span><strong class="command">QryRTTnn</strong></span></p>
                     </td>
 <td>
                       <p><span><strong class="command"></strong></span></p>
                     </td>
 <td>
                       <p>
                         Frequency table on round trip times (RTTs) of
                         queries.
                         Each <span><strong class="command">nn</strong></span> specifies the corresponding
                         frequency.
                         In the sequence of
                         <span><strong class="command">nn_1</strong></span>,
                         <span><strong class="command">nn_2</strong></span>,
                         ...,
                         <span><strong class="command">nn_m</strong></span>,
                         the value of <span><strong class="command">nn_i</strong></span> is the
                         number of queries whose RTTs are between
                         <span><strong class="command">nn_(i-1)</strong></span> (inclusive) and
                         <span><strong class="command">nn_i</strong></span> (exclusive) milliseconds.
                         For the sake of convenience we define
                         <span><strong class="command">nn_0</strong></span> to be 0.
                         The last entry should be represented as
                         <span><strong class="command">nn_m+</strong></span>, which means the
                         number of queries whose RTTs are equal to or over
                         <span><strong class="command">nn_m</strong></span> milliseconds.
                       </p>
                     </td>
 </tr>
 </tbody>
 </table></div>
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="id2604052"></a>Socket I/O Statistics Counters</h4></div></div></div>
 <p>
               Socket I/O statistics counters are defined per socket
               types, which are
               <span><strong class="command">UDP4</strong></span> (UDP/IPv4),
               <span><strong class="command">UDP6</strong></span> (UDP/IPv6),
               <span><strong class="command">TCP4</strong></span> (TCP/IPv4),
               <span><strong class="command">TCP6</strong></span> (TCP/IPv6),
               <span><strong class="command">Unix</strong></span> (Unix Domain), and
               <span><strong class="command">FDwatch</strong></span> (sockets opened outside the
               socket module).
               In the following table <span><strong class="command">&lt;TYPE&gt;</strong></span>
               represents a socket type.
               Not all counters are available for all socket types;
               exceptions are noted in the description field.
             </p>
 <div class="informaltable"><table border="1">
 <colgroup>
 <col>
 <col>
 </colgroup>
 <tbody>
 <tr>
 <td>
                       <p>
                         <span class="emphasis"><em>Symbol</em></span>
                       </p>
                     </td>
 <td>
                       <p>
                         <span class="emphasis"><em>Description</em></span>
                       </p>
                     </td>
 </tr>
 <tr>
 <td>
                       <p><span><strong class="command">&lt;TYPE&gt;Open</strong></span></p>
                     </td>
 <td>
                       <p>
                         Sockets opened successfully.
                         This counter is not applicable to the
                         <span><strong class="command">FDwatch</strong></span> type.
                       </p>
                     </td>
 </tr>
 <tr>
 <td>
                       <p><span><strong class="command">&lt;TYPE&gt;OpenFail</strong></span></p>
                     </td>
 <td>
                       <p>
                         Failures of opening sockets.
                         This counter is not applicable to the
                         <span><strong class="command">FDwatch</strong></span> type.
                       </p>
                     </td>
 </tr>
 <tr>
 <td>
                       <p><span><strong class="command">&lt;TYPE&gt;Close</strong></span></p>
                     </td>
 <td>
                       <p>
                         Sockets closed.
                       </p>
                     </td>
 </tr>
 <tr>
 <td>
                       <p><span><strong class="command">&lt;TYPE&gt;BindFail</strong></span></p>
                     </td>
 <td>
                       <p>
                         Failures of binding sockets.
                       </p>
                     </td>
 </tr>
 <tr>
 <td>
                       <p><span><strong class="command">&lt;TYPE&gt;ConnFail</strong></span></p>
                     </td>
 <td>
                       <p>
                         Failures of connecting sockets.
                       </p>
                     </td>
 </tr>
 <tr>
 <td>
                       <p><span><strong class="command">&lt;TYPE&gt;Conn</strong></span></p>
                     </td>
 <td>
                       <p>
                         Connections established successfully.
                       </p>
                     </td>
 </tr>
 <tr>
 <td>
                       <p><span><strong class="command">&lt;TYPE&gt;AcceptFail</strong></span></p>
                     </td>
 <td>
                       <p>
                         Failures of accepting incoming connection requests.
                         This counter is not applicable to the
                         <span><strong class="command">UDP</strong></span> and
                         <span><strong class="command">FDwatch</strong></span> types.
                       </p>
                     </td>
 </tr>
 <tr>
 <td>
                       <p><span><strong class="command">&lt;TYPE&gt;Accept</strong></span></p>
                     </td>
 <td>
                       <p>
                         Incoming connections successfully accepted.
                         This counter is not applicable to the
                         <span><strong class="command">UDP</strong></span> and
                         <span><strong class="command">FDwatch</strong></span> types.
                       </p>
                     </td>
 </tr>
 <tr>
 <td>
                       <p><span><strong class="command">&lt;TYPE&gt;SendErr</strong></span></p>
                     </td>
 <td>
                       <p>
                         Errors in socket send operations.
                         This counter corresponds
                         to <span><strong class="command">SErr</strong></span> counter of
                         <span><strong class="command">BIND</strong></span> 8.
                       </p>
                     </td>
 </tr>
 <tr>
 <td>
                       <p><span><strong class="command">&lt;TYPE&gt;RecvErr</strong></span></p>
                     </td>
 <td>
                       <p>
                         Errors in socket receive operations.
                         This includes errors of send operations on a
                         connected UDP socket notified by an ICMP error
                         message.
                       </p>
                     </td>
 </tr>
 </tbody>
 </table></div>
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="id2604425"></a>Compatibility with <span class="emphasis"><em>BIND</em></span> 8 Counters</h4></div></div></div>
 <p>
               Most statistics counters that were available
               in <span><strong class="command">BIND</strong></span> 8 are also supported in
               <span><strong class="command">BIND</strong></span> 9 as shown in the above tables.
               Here are notes about other counters that do not appear
               in these tables.
             </p>
 <div class="variablelist"><dl>
 <dt><span class="term"><span><strong class="command">RFwdR,SFwdR</strong></span></span></dt>
 <dd><p>
                     These counters are not supported
                     because <span><strong class="command">BIND</strong></span> 9 does not adopt
                     the notion of <span class="emphasis"><em>forwarding</em></span>
                     as <span><strong class="command">BIND</strong></span> 8 did.
                   </p></dd>
 <dt><span class="term"><span><strong class="command">RAXFR</strong></span></span></dt>
 <dd><p>
                     This counter is accessible in the Incoming Queries section.
                   </p></dd>
 <dt><span class="term"><span><strong class="command">RIQ</strong></span></span></dt>
 <dd><p>
                     This counter is accessible in the Incoming Requests section.
                   </p></dd>
 <dt><span class="term"><span><strong class="command">ROpts</strong></span></span></dt>
 <dd><p>
                     This counter is not supported
                     because <span><strong class="command">BIND</strong></span> 9 does not care
                     about IP options in the first place.
                   </p></dd>
 </dl></div>
 </div>
 </div>
 </div>
 </div>
 <div class="navfooter">
 <hr>
 <table width="100%" summary="Navigation footer">
 <tr>
 <td width="40%" align="left">
 <a accesskey="p" href="Bv9ARM.ch05.html">Prev</a> </td>
 <td width="20%" align="center"> </td>
 <td width="40%" align="right"> <a accesskey="n" href="Bv9ARM.ch07.html">Next</a>
 </td>
 </tr>
 <tr>
 <td width="40%" align="left" valign="top">Chapter 5. The <acronym class="acronym">BIND</acronym> 9 Lightweight Resolver </td>
 <td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
 <td width="40%" align="right" valign="top"> Chapter 7. <acronym class="acronym">BIND</acronym> 9 Security Considerations</td>
 </tr>
 </table>
 </div>
-<p style="text-align: center;">BIND 9.9.7 (Extended Support Version)</p>
+<p style="text-align: center;">BIND 9.9.7-P2 (Extended Support Version)</p>
 </body>
 </html>
Index: stable/9/contrib/bind9/doc/arm/Bv9ARM.ch07.html
===================================================================
--- stable/9/contrib/bind9/doc/arm/Bv9ARM.ch07.html	(revision 286123)
+++ stable/9/contrib/bind9/doc/arm/Bv9ARM.ch07.html	(revision 286124)
@@ -1,252 +1,252 @@
 <!--
  - Copyright (C) 2004-2015 Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000-2003 Internet Software Consortium.
  - 
  - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
  - copyright notice and this permission notice appear in all copies.
  - 
  - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
  - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
  - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
  - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
  - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 <!-- $Id$ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>Chapter 7. BIND 9 Security Considerations</title>
 <meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
 <link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
 <link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
 <link rel="prev" href="Bv9ARM.ch06.html" title="Chapter 6. BIND 9 Configuration Reference">
 <link rel="next" href="Bv9ARM.ch08.html" title="Chapter 8. Troubleshooting">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
 <div class="navheader">
 <table width="100%" summary="Navigation header">
 <tr><th colspan="3" align="center">Chapter 7. <acronym class="acronym">BIND</acronym> 9 Security Considerations</th></tr>
 <tr>
 <td width="20%" align="left">
 <a accesskey="p" href="Bv9ARM.ch06.html">Prev</a> </td>
 <th width="60%" align="center"> </th>
 <td width="20%" align="right"> <a accesskey="n" href="Bv9ARM.ch08.html">Next</a>
 </td>
 </tr>
 </table>
 <hr>
 </div>
 <div class="chapter" lang="en">
 <div class="titlepage"><div><div><h2 class="title">
 <a name="Bv9ARM.ch07"></a>Chapter 7. <acronym class="acronym">BIND</acronym> 9 Security Considerations</h2></div></div></div>
 <div class="toc">
 <p><b>Table of Contents</b></p>
 <dl>
 <dt><span class="sect1"><a href="Bv9ARM.ch07.html#Access_Control_Lists">Access Control Lists</a></span></dt>
 <dt><span class="sect1"><a href="Bv9ARM.ch07.html#id2604721"><span><strong class="command">Chroot</strong></span> and <span><strong class="command">Setuid</strong></span></a></span></dt>
 <dd><dl>
 <dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2604802">The <span><strong class="command">chroot</strong></span> Environment</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2604861">Using the <span><strong class="command">setuid</strong></span> Function</a></span></dt>
 </dl></dd>
 <dt><span class="sect1"><a href="Bv9ARM.ch07.html#dynamic_update_security">Dynamic Update Security</a></span></dt>
 </dl>
 </div>
 <div class="sect1" lang="en">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
 <a name="Access_Control_Lists"></a>Access Control Lists</h2></div></div></div>
 <p>
           Access Control Lists (ACLs) are address match lists that
           you can set up and nickname for future use in <span><strong class="command">allow-notify</strong></span>,
           <span><strong class="command">allow-query</strong></span>, <span><strong class="command">allow-query-on</strong></span>,
           <span><strong class="command">allow-recursion</strong></span>, <span><strong class="command">allow-recursion-on</strong></span>,
           <span><strong class="command">blackhole</strong></span>, <span><strong class="command">allow-transfer</strong></span>,
           etc.
         </p>
 <p>
           Using ACLs allows you to have finer control over who can access
           your name server, without cluttering up your config files with huge
           lists of IP addresses.
         </p>
 <p>
           It is a <span class="emphasis"><em>good idea</em></span> to use ACLs, and to
           control access to your server. Limiting access to your server by
           outside parties can help prevent spoofing and denial of service (DoS) attacks against
           your server.
         </p>
 <p>
           Here is an example of how to properly apply ACLs:
         </p>
 <pre class="programlisting">
 // Set up an ACL named "bogusnets" that will block
 // RFC1918 space and some reserved space, which is
 // commonly used in spoofing attacks.
 acl bogusnets {
         0.0.0.0/8;  192.0.2.0/24; 224.0.0.0/3;
         10.0.0.0/8; 172.16.0.0/12; 192.168.0.0/16;
 };
 
 // Set up an ACL called our-nets. Replace this with the
 // real IP numbers.
 acl our-nets { x.x.x.x/24; x.x.x.x/21; };
 options {
   ...
   ...
   allow-query { our-nets; };
   allow-recursion { our-nets; };
   ...
   blackhole { bogusnets; };
   ...
 };
 
 zone "example.com" {
   type master;
   file "m/example.com";
   allow-query { any; };
 };
 </pre>
 <p>
           This allows recursive queries of the server from the outside
           unless recursion has been previously disabled.
         </p>
 </div>
 <div class="sect1" lang="en">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
 <a name="id2604721"></a><span><strong class="command">Chroot</strong></span> and <span><strong class="command">Setuid</strong></span>
 </h2></div></div></div>
 <p>
           On UNIX servers, it is possible to run <acronym class="acronym">BIND</acronym>
           in a <span class="emphasis"><em>chrooted</em></span> environment (using
           the <span><strong class="command">chroot()</strong></span> function) by specifying
           the "<code class="option">-t</code>" option for <span><strong class="command">named</strong></span>.
           This can help improve system security by placing
           <acronym class="acronym">BIND</acronym> in a "sandbox", which will limit
           the damage done if a server is compromised.
         </p>
 <p>
           Another useful feature in the UNIX version of <acronym class="acronym">BIND</acronym> is the
           ability to run the daemon as an unprivileged user ( <code class="option">-u</code> <em class="replaceable"><code>user</code></em> ).
           We suggest running as an unprivileged user when using the <span><strong class="command">chroot</strong></span> feature.
         </p>
 <p>
           Here is an example command line to load <acronym class="acronym">BIND</acronym> in a <span><strong class="command">chroot</strong></span> sandbox,
           <span><strong class="command">/var/named</strong></span>, and to run <span><strong class="command">named</strong></span> <span><strong class="command">setuid</strong></span> to
           user 202:
         </p>
 <p>
           <strong class="userinput"><code>/usr/local/sbin/named -u 202 -t /var/named</code></strong>
         </p>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="id2604802"></a>The <span><strong class="command">chroot</strong></span> Environment</h3></div></div></div>
 <p>
             In order for a <span><strong class="command">chroot</strong></span> environment
             to
             work properly in a particular directory
             (for example, <code class="filename">/var/named</code>),
             you will need to set up an environment that includes everything
             <acronym class="acronym">BIND</acronym> needs to run.
             From <acronym class="acronym">BIND</acronym>'s point of view, <code class="filename">/var/named</code> is
             the root of the filesystem.  You will need to adjust the values of
             options like
             like <span><strong class="command">directory</strong></span> and <span><strong class="command">pid-file</strong></span> to account
             for this.
           </p>
 <p>
             Unlike with earlier versions of BIND, you typically will
             <span class="emphasis"><em>not</em></span> need to compile <span><strong class="command">named</strong></span>
             statically nor install shared libraries under the new root.
             However, depending on your operating system, you may need
             to set up things like
             <code class="filename">/dev/zero</code>,
             <code class="filename">/dev/random</code>,
             <code class="filename">/dev/log</code>, and
             <code class="filename">/etc/localtime</code>.
           </p>
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="id2604861"></a>Using the <span><strong class="command">setuid</strong></span> Function</h3></div></div></div>
 <p>
             Prior to running the <span><strong class="command">named</strong></span> daemon,
             use
             the <span><strong class="command">touch</strong></span> utility (to change file
             access and
             modification times) or the <span><strong class="command">chown</strong></span>
             utility (to
             set the user id and/or group id) on files
             to which you want <acronym class="acronym">BIND</acronym>
             to write.
           </p>
 <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
 <h3 class="title">Note</h3>
             Note that if the <span><strong class="command">named</strong></span> daemon is running as an
             unprivileged user, it will not be able to bind to new restricted
             ports if the server is reloaded.
           </div>
 </div>
 </div>
 <div class="sect1" lang="en">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
 <a name="dynamic_update_security"></a>Dynamic Update Security</h2></div></div></div>
 <p>
           Access to the dynamic
           update facility should be strictly limited.  In earlier versions of
           <acronym class="acronym">BIND</acronym>, the only way to do this was
           based on the IP
           address of the host requesting the update, by listing an IP address
           or
           network prefix in the <span><strong class="command">allow-update</strong></span>
           zone option.
           This method is insecure since the source address of the update UDP
           packet
           is easily forged.  Also note that if the IP addresses allowed by the
           <span><strong class="command">allow-update</strong></span> option include the
           address of a slave
           server which performs forwarding of dynamic updates, the master can
           be
           trivially attacked by sending the update to the slave, which will
           forward it to the master with its own source IP address causing the
           master to approve it without question.
         </p>
 <p>
           For these reasons, we strongly recommend that updates be
           cryptographically authenticated by means of transaction signatures
           (TSIG).  That is, the <span><strong class="command">allow-update</strong></span>
           option should
           list only TSIG key names, not IP addresses or network
           prefixes. Alternatively, the new <span><strong class="command">update-policy</strong></span>
           option can be used.
         </p>
 <p>
           Some sites choose to keep all dynamically-updated DNS data
           in a subdomain and delegate that subdomain to a separate zone. This
           way, the top-level zone containing critical data such as the IP
           addresses
           of public web and mail servers need not allow dynamic update at
           all.
         </p>
 </div>
 </div>
 <div class="navfooter">
 <hr>
 <table width="100%" summary="Navigation footer">
 <tr>
 <td width="40%" align="left">
 <a accesskey="p" href="Bv9ARM.ch06.html">Prev</a> </td>
 <td width="20%" align="center"> </td>
 <td width="40%" align="right"> <a accesskey="n" href="Bv9ARM.ch08.html">Next</a>
 </td>
 </tr>
 <tr>
 <td width="40%" align="left" valign="top">Chapter 6. <acronym class="acronym">BIND</acronym> 9 Configuration Reference </td>
 <td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
 <td width="40%" align="right" valign="top"> Chapter 8. Troubleshooting</td>
 </tr>
 </table>
 </div>
-<p style="text-align: center;">BIND 9.9.7 (Extended Support Version)</p>
+<p style="text-align: center;">BIND 9.9.7-P2 (Extended Support Version)</p>
 </body>
 </html>
Index: stable/9/contrib/bind9/doc/arm/Bv9ARM.ch08.html
===================================================================
--- stable/9/contrib/bind9/doc/arm/Bv9ARM.ch08.html	(revision 286123)
+++ stable/9/contrib/bind9/doc/arm/Bv9ARM.ch08.html	(revision 286124)
@@ -1,140 +1,140 @@
 <!--
  - Copyright (C) 2004-2015 Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000-2003 Internet Software Consortium.
  - 
  - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
  - copyright notice and this permission notice appear in all copies.
  - 
  - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
  - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
  - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
  - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
  - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 <!-- $Id$ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>Chapter 8. Troubleshooting</title>
 <meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
 <link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
 <link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
 <link rel="prev" href="Bv9ARM.ch07.html" title="Chapter 7. BIND 9 Security Considerations">
 <link rel="next" href="Bv9ARM.ch09.html" title="Appendix A. Release Notes">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
 <div class="navheader">
 <table width="100%" summary="Navigation header">
 <tr><th colspan="3" align="center">Chapter 8. Troubleshooting</th></tr>
 <tr>
 <td width="20%" align="left">
 <a accesskey="p" href="Bv9ARM.ch07.html">Prev</a> </td>
 <th width="60%" align="center"> </th>
 <td width="20%" align="right"> <a accesskey="n" href="Bv9ARM.ch09.html">Next</a>
 </td>
 </tr>
 </table>
 <hr>
 </div>
 <div class="chapter" lang="en">
 <div class="titlepage"><div><div><h2 class="title">
 <a name="Bv9ARM.ch08"></a>Chapter 8. Troubleshooting</h2></div></div></div>
 <div class="toc">
 <p><b>Table of Contents</b></p>
 <dl>
 <dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2605078">Common Problems</a></span></dt>
 <dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch08.html#id2605083">It's not working; how can I figure out what's wrong?</a></span></dt></dl></dd>
 <dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2605095">Incrementing and Changing the Serial Number</a></span></dt>
 <dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2605112">Where Can I Get Help?</a></span></dt>
 </dl>
 </div>
 <div class="sect1" lang="en">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
 <a name="id2605078"></a>Common Problems</h2></div></div></div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="id2605083"></a>It's not working; how can I figure out what's wrong?</h3></div></div></div>
 <p>
             The best solution to solving installation and
             configuration issues is to take preventative measures by setting
             up logging files beforehand. The log files provide a
             source of hints and information that can be used to figure out
             what went wrong and how to fix the problem.
           </p>
 </div>
 </div>
 <div class="sect1" lang="en">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
 <a name="id2605095"></a>Incrementing and Changing the Serial Number</h2></div></div></div>
 <p>
           Zone serial numbers are just numbers &#8212; they aren't
           date related.  A lot of people set them to a number that
           represents a date, usually of the form YYYYMMDDRR.
           Occasionally they will make a mistake and set them to a
           "date in the future" then try to correct them by setting
           them to the "current date".  This causes problems because
           serial numbers are used to indicate that a zone has been
           updated.  If the serial number on the slave server is
           lower than the serial number on the master, the slave
           server will attempt to update its copy of the zone.
         </p>
 <p>
           Setting the serial number to a lower number on the master
           server than the slave server means that the slave will not perform
           updates to its copy of the zone.
         </p>
 <p>
           The solution to this is to add 2147483647 (2^31-1) to the
           number, reload the zone and make sure all slaves have updated to
           the new zone serial number, then reset the number to what you want
           it to be, and reload the zone again.
         </p>
 </div>
 <div class="sect1" lang="en">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
 <a name="id2605112"></a>Where Can I Get Help?</h2></div></div></div>
 <p>
           The Internet Systems Consortium
           (<acronym class="acronym">ISC</acronym>) offers a wide range
           of support and service agreements for <acronym class="acronym">BIND</acronym> and <acronym class="acronym">DHCP</acronym> servers. Four
           levels of premium support are available and each level includes
           support for all <acronym class="acronym">ISC</acronym> programs,
           significant discounts on products
           and training, and a recognized priority on bug fixes and
           non-funded feature requests. In addition, <acronym class="acronym">ISC</acronym> offers a standard
           support agreement package which includes services ranging from bug
           fix announcements to remote support. It also includes training in
           <acronym class="acronym">BIND</acronym> and <acronym class="acronym">DHCP</acronym>.
         </p>
 <p>
           To discuss arrangements for support, contact
           <a href="mailto:info@isc.org" target="_top">info@isc.org</a> or visit the
           <acronym class="acronym">ISC</acronym> web page at
           <a href="http://www.isc.org/services/support/" target="_top">http://www.isc.org/services/support/</a>
           to read more.
         </p>
 </div>
 </div>
 <div class="navfooter">
 <hr>
 <table width="100%" summary="Navigation footer">
 <tr>
 <td width="40%" align="left">
 <a accesskey="p" href="Bv9ARM.ch07.html">Prev</a> </td>
 <td width="20%" align="center"> </td>
 <td width="40%" align="right"> <a accesskey="n" href="Bv9ARM.ch09.html">Next</a>
 </td>
 </tr>
 <tr>
 <td width="40%" align="left" valign="top">Chapter 7. <acronym class="acronym">BIND</acronym> 9 Security Considerations </td>
 <td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
 <td width="40%" align="right" valign="top"> Appendix A. Release Notes</td>
 </tr>
 </table>
 </div>
-<p style="text-align: center;">BIND 9.9.7 (Extended Support Version)</p>
+<p style="text-align: center;">BIND 9.9.7-P2 (Extended Support Version)</p>
 </body>
 </html>
Index: stable/9/contrib/bind9/doc/arm/Bv9ARM.ch09.html
===================================================================
--- stable/9/contrib/bind9/doc/arm/Bv9ARM.ch09.html	(revision 286123)
+++ stable/9/contrib/bind9/doc/arm/Bv9ARM.ch09.html	(revision 286124)
@@ -1,315 +1,170 @@
 <!--
  - Copyright (C) 2004-2015 Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000-2003 Internet Software Consortium.
  - 
  - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
  - copyright notice and this permission notice appear in all copies.
  - 
  - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
  - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
  - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
  - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
  - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 <!-- $Id$ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>Appendix A. Release Notes</title>
 <meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
 <link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
 <link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
 <link rel="prev" href="Bv9ARM.ch08.html" title="Chapter 8. Troubleshooting">
 <link rel="next" href="Bv9ARM.ch10.html" title="Appendix B. A Brief History of the DNS and BIND">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
 <div class="navheader">
 <table width="100%" summary="Navigation header">
 <tr><th colspan="3" align="center">Appendix A. Release Notes</th></tr>
 <tr>
 <td width="20%" align="left">
 <a accesskey="p" href="Bv9ARM.ch08.html">Prev</a> </td>
 <th width="60%" align="center"> </th>
 <td width="20%" align="right"> <a accesskey="n" href="Bv9ARM.ch10.html">Next</a>
 </td>
 </tr>
 </table>
 <hr>
 </div>
 <div class="appendix" lang="en">
 <div class="titlepage"><div><div><h2 class="title">
 <a name="Bv9ARM.ch09"></a>Appendix A. Release Notes</h2></div></div></div>
 <div class="toc">
 <p><b>Table of Contents</b></p>
 <dl>
-<dt><span class="sect1"><a href="Bv9ARM.ch09.html#id2563588">Release Notes for BIND Version 9.9.7</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch09.html#id2563588">Release Notes for BIND Version 9.9.7-P2</a></span></dt>
 <dd><dl>
 <dt><span class="sect2"><a href="Bv9ARM.ch09.html#relnotes_intro">Introduction</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch09.html#relnotes_download">Download</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch09.html#relnotes_security">Security Fixes</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch09.html#relnotes_features">New Features</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch09.html#relnotes_changes">Feature Changes</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch09.html#relnotes_bugs">Bug Fixes</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch09.html#end_of_life">End of Life</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch09.html#relnotes_thanks">Thank You</a></span></dt>
 </dl></dd>
 </dl>
 </div>
 <div class="sect1" lang="en">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2563588"></a>Release Notes for BIND Version 9.9.7</h2></div></div></div>
+<a name="id2563588"></a>Release Notes for BIND Version 9.9.7-P2</h2></div></div></div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes_intro"></a>Introduction</h3></div></div></div>
 <p>
-      This document summarizes changes since the last production release
-      of BIND on the corresponding major release branch.
+      This document summarizes changes since BIND 9.9.7.
     </p>
+<p>
+      BIND 9.9.7-P2 addresses a security issue described in CVE-2015-5477.
+    </p>
+<p>
+      BIND 9.9.7-P1 addresses a security issue described in CVE-2015-4620.
+    </p>
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes_download"></a>Download</h3></div></div></div>
 <p>
       The latest versions of BIND 9 software can always be found at
       <a href="http://www.isc.org/downloads/" target="_top">http://www.isc.org/downloads/</a>.
       There you will find additional information about each release,
       source code, and pre-compiled versions for Microsoft Windows
       operating systems.
     </p>
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes_security"></a>Security Fixes</h3></div></div></div>
 <div class="itemizedlist"><ul type="disc">
 <li>
 <p>
-	  On servers configured to perform DNSSEC validation using
-	  managed trust anchors (i.e., keys configured explicitly
-	  via <span><strong class="command">managed-keys</strong></span>, or implicitly 
-	  via <span><strong class="command">dnssec-validation auto;</strong></span> or
-	  <span><strong class="command">dnssec-lookaside auto;</strong></span>), revoking
-	  a trust anchor and sending a new untrusted replacement
-	  could cause <span><strong class="command">named</strong></span> to crash with an
-	  assertion failure. This could occur in the event of a
-	  botched key rollover, or potentially as a result of a
-	  deliberate attack if the attacker was in position to
-	  monitor the victim's DNS traffic.
+	  A specially crafted query could trigger an assertion failure
+	  in message.c.
 	</p>
 <p>
-	  This flaw was discovered by Jan-Piet Mens, and is
-	  disclosed in CVE-2015-1349. [RT #38344]
+	  This flaw was discovered by Jonathan Foote, and is disclosed
+	  in CVE-2015-5477. [RT #39795]
 	</p>
 </li>
 <li>
 <p>
-	  A flaw in delegation handling could be exploited to put
-	  <span><strong class="command">named</strong></span> into an infinite loop, in which
-	  each lookup of a name server triggered additional lookups
-	  of more name servers.  This has been addressed by placing
-	  limits on the number of levels of recursion
-	  <span><strong class="command">named</strong></span> will allow (default 7), and
-	  on the number of queries that it will send before
-	  terminating a recursive query (default 50).
+	  On servers configured to perform DNSSEC validation, an
+	  assertion failure could be triggered on answers from
+	  a specially configured server.
 	</p>
 <p>
-	  The recursion depth limit is configured via the
-	  <code class="option">max-recursion-depth</code> option, and the query limit
-	  via the <code class="option">max-recursion-queries</code> option.
+	  This flaw was discovered by Breno Silveira Soares, and is
+	  disclosed in CVE-2015-4620. [RT #39795]
 	</p>
-<p>
-	  The flaw was discovered by Florian Maury of ANSSI, and is
-	  disclosed in CVE-2014-8500. [RT #37580]
-	</p>
 </li>
 </ul></div>
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes_features"></a>New Features</h3></div></div></div>
 <div class="itemizedlist"><ul type="disc"><li><p>None</p></li></ul></div>
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes_changes"></a>Feature Changes</h3></div></div></div>
-<div class="itemizedlist"><ul type="disc">
-<li><p>
-          NXDOMAIN responses to queries of type DS are now cached separately
-          from those for other types. This helps when using "grafted" zones
-          of type forward, for which the parent zone does not contain a
-          delegation, such as local top-level domains.  Previously a query
-          of type DS for such a zone could cause the zone apex to be cached
-          as NXDOMAIN, blocking all subsequent queries.  (Note: This
-          change is only helpful when DNSSEC validation is not enabled.
-          "Grafted" zones without a delegation in the parent are not a
-          recommended configuration.)
-        </p></li>
-<li><p>
-          NOTIFY messages that are sent because a zone has been updated
-          are now given priority above NOTIFY messages that were scheduled
-          when the server started up. This should mitigate delays in zone
-          propagation when servers are restarted frequently.
-        </p></li>
-<li><p>
-          Errors reported when running <span><strong class="command">rndc addzone</strong></span>
-          (e.g., when a zone file cannot be loaded) have been clarified
-          to make it easier to diagnose problems.
-        </p></li>
-<li><p>
-	  Added support for OPENPGPKEY type.
-        </p></li>
-<li><p>
-	  When encountering an authoritative name server whose name is
-	  an alias pointing to another name, the resolver treats
-	  this as an error and skips to the next server. Previously
-	  this happened silently; now the error will be logged to
-	  the newly-created "cname" log category.
-	</p></li>
-<li><p>
-	  If named is not configured to validate the answer then
-	  allow fallback to plain DNS on timeout even when we know
-	  the server supports EDNS.  This will allow the server to
-	  potentially resolve signed queries when TCP is being
-	  blocked.
-	</p></li>
-</ul></div>
+<div class="itemizedlist"><ul type="disc"><li><p>None</p></li></ul></div>
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes_bugs"></a>Bug Fixes</h3></div></div></div>
-<div class="itemizedlist"><ul type="disc">
-<li><p>
-	  <span><strong class="command">dig</strong></span>, <span><strong class="command">host</strong></span> and
-	  <span><strong class="command">nslookup</strong></span> aborted when encountering
-	  a name which, after appending search list elements,
-	  exceeded 255 bytes. Such names are now skipped, but
-	  processing of other names will continue. [RT #36892]
-        </p></li>
-<li><p>
-	  The error message generated when
-	  <span><strong class="command">named-checkzone</strong></span> or
-	  <span><strong class="command">named-checkconf -z</strong></span> encounters a
-	  <code class="option">$TTL</code> directive without a value has
-	  been clarified. [RT #37138]
-        </p></li>
-<li><p>
-	  Semicolon characters (;) included in TXT records were
-	  incorrectly escaped with a backslash when the record was
-	  displayed as text. This is actually only necessary when there
-	  are no quotation marks. [RT #37159]
-        </p></li>
-<li><p>
-	  When files opened for writing by <span><strong class="command">named</strong></span>,
-	  such as zone journal files, were referenced more than once
-	  in <code class="filename">named.conf</code>, it could lead to file
-	  corruption as multiple threads wrote to the same file. This
-	  is now detected when loading <code class="filename">named.conf</code>
-	  and reported as an error. [RT #37172]
-        </p></li>
-<li><p>
-          <span><strong class="command">dnssec-keygen -S</strong></span> failed to generate successor
-          keys for some algorithm types (including ECDSA and GOST) due to
-          a difference in the content of private key files. This has been
-          corrected. [RT #37183]
-        </p></li>
-<li><p>
-          UPDATE messages that arrived too soon after
-          an <span><strong class="command">rndc thaw</strong></span> could be lost. [RT #37233]
-        </p></li>
-<li><p>
-          Forwarding of UPDATE messages did not work when they were
-          signed with SIG(0); they resulted in a BADSIG response code.
-          [RT #37216]
-        </p></li>
-<li><p>
-          When checking for updates to trust anchors listed in
-          <code class="option">managed-keys</code>, <span><strong class="command">named</strong></span>
-          now revalidates keys based on the current set of
-          active trust anchors, without relying on any cached
-          record of previous validation. [RT #37506]
-        </p></li>
-<li><p>
-	  When NXDOMAIN redirection is in use, queries for a name
-	  that is present in the redirection zone but a type that
-	  is not present will now return NOERROR instead of NXDOMAIN.
-        </p></li>
-<li><p>
-	  When a zone contained a delegation to an IPv6 name server
-	  but not an IPv4 name server, it was possible for a memory
-	  reference to be left un-freed. This caused an assertion
-	  failure on server shutdown, but was otherwise harmless.
-	  [RT #37796]
-        </p></li>
-<li><p>
-	  Due to an inadvertent removal of code in the previous
-	  release, when <span><strong class="command">named</strong></span> encountered an
-	  authoritative name server which dropped all EDNS queries,
-	  it did not always try plain DNS. This has been corrected.
-	  [RT #37965]
-        </p></li>
-<li><p>
-	  A regression caused nsupdate to use the default recursive servers
-	  rather than the SOA MNAME server when sending the UPDATE.
-        </p></li>
-<li><p>
-	  Adjusted max-recursion-queries to better accommodate empty
-	  caches.
-        </p></li>
-<li><p>
-	  Built-in "empty" zones did not correctly inherit the
-	  "allow-transfer" ACL from the options or view. [RT #38310]
-        </p></li>
-<li><p>
-	  A mutex leak was fixed that could cause <span><strong class="command">named</strong></span>
-	  processes to grow to very large sizes. [RT #38454]
-	</p></li>
-<li><p>
-	  Fixed some bugs in RFC 5011 trust anchor management,
-	  including a memory leak and a possible loss of state
-	  information.[RT #38458]
-	</p></li>
-</ul></div>
+<div class="itemizedlist"><ul type="disc"><li><p>None</p></li></ul></div>
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="end_of_life"></a>End of Life</h3></div></div></div>
 <p>
       The BIND 9.9 (Extended Support Version) will be supported until June, 2017.
       <a href="https://www.isc.org/downloads/software-support-policy/" target="_top">https://www.isc.org/downloads/software-support-policy/</a>
     </p>
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes_thanks"></a>Thank You</h3></div></div></div>
 <p>
       Thank you to everyone who assisted us in making this release possible.
       If you would like to contribute to ISC to assist us in continuing to
       make quality open source software, please visit our donations page at
       <a href="http://www.isc.org/donate/" target="_top">http://www.isc.org/donate/</a>.
     </p>
 </div>
 </div>
 </div>
 <div class="navfooter">
 <hr>
 <table width="100%" summary="Navigation footer">
 <tr>
 <td width="40%" align="left">
 <a accesskey="p" href="Bv9ARM.ch08.html">Prev</a> </td>
 <td width="20%" align="center"> </td>
 <td width="40%" align="right"> <a accesskey="n" href="Bv9ARM.ch10.html">Next</a>
 </td>
 </tr>
 <tr>
 <td width="40%" align="left" valign="top">Chapter 8. Troubleshooting </td>
 <td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
 <td width="40%" align="right" valign="top"> Appendix B. A Brief History of the <acronym class="acronym">DNS</acronym> and <acronym class="acronym">BIND</acronym>
 </td>
 </tr>
 </table>
 </div>
-<p style="text-align: center;">BIND 9.9.7 (Extended Support Version)</p>
+<p style="text-align: center;">BIND 9.9.7-P2 (Extended Support Version)</p>
 </body>
 </html>
Index: stable/9/contrib/bind9/doc/arm/Bv9ARM.ch10.html
===================================================================
--- stable/9/contrib/bind9/doc/arm/Bv9ARM.ch10.html	(revision 286123)
+++ stable/9/contrib/bind9/doc/arm/Bv9ARM.ch10.html	(revision 286124)
@@ -1,168 +1,168 @@
 <!--
  - Copyright (C) 2004-2015 Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000-2003 Internet Software Consortium.
  - 
  - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
  - copyright notice and this permission notice appear in all copies.
  - 
  - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
  - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
  - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
  - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
  - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 <!-- $Id$ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>Appendix B. A Brief History of the DNS and BIND</title>
 <meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
 <link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
 <link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
 <link rel="prev" href="Bv9ARM.ch09.html" title="Appendix A. Release Notes">
 <link rel="next" href="Bv9ARM.ch11.html" title="Appendix C. General DNS Reference Information">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
 <div class="navheader">
 <table width="100%" summary="Navigation header">
 <tr><th colspan="3" align="center">Appendix B. A Brief History of the <acronym class="acronym">DNS</acronym> and <acronym class="acronym">BIND</acronym>
 </th></tr>
 <tr>
 <td width="20%" align="left">
 <a accesskey="p" href="Bv9ARM.ch09.html">Prev</a> </td>
 <th width="60%" align="center"> </th>
 <td width="20%" align="right"> <a accesskey="n" href="Bv9ARM.ch11.html">Next</a>
 </td>
 </tr>
 </table>
 <hr>
 </div>
 <div class="appendix" lang="en">
 <div class="titlepage"><div><div><h2 class="title">
 <a name="Bv9ARM.ch10"></a>Appendix B. A Brief History of the <acronym class="acronym">DNS</acronym> and <acronym class="acronym">BIND</acronym>
 </h2></div></div></div>
 <div class="toc">
 <p><b>Table of Contents</b></p>
 <dl><dt><span class="sect1"><a href="Bv9ARM.ch10.html#historical_dns_information"></a></span></dt></dl>
 </div>
 <div class="sect1" lang="en">
 <div class="titlepage"></div>
 <p>
             Although the "official" beginning of the Domain Name
             System occurred in 1984 with the publication of RFC 920, the
             core of the new system was described in 1983 in RFCs 882 and
             883. From 1984 to 1987, the ARPAnet (the precursor to today's
             Internet) became a testbed of experimentation for developing the
             new naming/addressing scheme in a rapidly expanding,
             operational network environment.  New RFCs were written and
             published in 1987 that modified the original documents to
             incorporate improvements based on the working model. RFC 1034,
             "Domain Names-Concepts and Facilities", and RFC 1035, "Domain
             Names-Implementation and Specification" were published and
             became the standards upon which all <acronym class="acronym">DNS</acronym> implementations are
             built.
           </p>
 <p>
             The first working domain name server, called "Jeeves", was
             written in 1983-84 by Paul Mockapetris for operation on DEC
             Tops-20
             machines located at the University of Southern California's
             Information
             Sciences Institute (USC-ISI) and SRI International's Network
             Information
             Center (SRI-NIC). A <acronym class="acronym">DNS</acronym> server for
             Unix machines, the Berkeley Internet
             Name Domain (<acronym class="acronym">BIND</acronym>) package, was
             written soon after by a group of
             graduate students at the University of California at Berkeley
             under
             a grant from the US Defense Advanced Research Projects
             Administration
             (DARPA).
           </p>
 <p>
             Versions of <acronym class="acronym">BIND</acronym> through
             4.8.3 were maintained by the Computer
             Systems Research Group (CSRG) at UC Berkeley. Douglas Terry, Mark
             Painter, David Riggle and Songnian Zhou made up the initial <acronym class="acronym">BIND</acronym>
             project team. After that, additional work on the software package
             was done by Ralph Campbell. Kevin Dunlap, a Digital Equipment
             Corporation
             employee on loan to the CSRG, worked on <acronym class="acronym">BIND</acronym> for 2 years, from 1985
             to 1987. Many other people also contributed to <acronym class="acronym">BIND</acronym> development
             during that time: Doug Kingston, Craig Partridge, Smoot
             Carl-Mitchell,
             Mike Muuss, Jim Bloom and Mike Schwartz. <acronym class="acronym">BIND</acronym> maintenance was subsequently
             handled by Mike Karels and Øivind Kure.
           </p>
 <p>
             <acronym class="acronym">BIND</acronym> versions 4.9 and 4.9.1 were
             released by Digital Equipment
             Corporation (now Compaq Computer Corporation). Paul Vixie, then
             a DEC employee, became <acronym class="acronym">BIND</acronym>'s
             primary caretaker. He was assisted
             by Phil Almquist, Robert Elz, Alan Barrett, Paul Albitz, Bryan
             Beecher, Andrew
             Partan, Andy Cherenson, Tom Limoncelli, Berthold Paffrath, Fuat
             Baran, Anant Kumar, Art Harkin, Win Treese, Don Lewis, Christophe
             Wolfhugel, and others.
           </p>
 <p>
             In 1994, <acronym class="acronym">BIND</acronym> version 4.9.2 was sponsored by
             Vixie Enterprises. Paul
             Vixie became <acronym class="acronym">BIND</acronym>'s principal
             architect/programmer.
           </p>
 <p>
             <acronym class="acronym">BIND</acronym> versions from 4.9.3 onward
             have been developed and maintained
             by the Internet Systems Consortium and its predecessor,
             the Internet Software Consortium,  with support being provided
             by ISC's sponsors.
           </p>
 <p>
             As co-architects/programmers, Bob Halley and
             Paul Vixie released the first production-ready version of
             <acronym class="acronym">BIND</acronym> version 8 in May 1997.
           </p>
 <p>
             BIND version 9 was released in September 2000 and is a
             major rewrite of nearly all aspects of the underlying
             BIND architecture.
           </p>
 <p>
             BIND versions 4 and 8 are officially deprecated.
             No additional development is done
             on BIND version 4 or BIND version 8.
           </p>
 <p>
             <acronym class="acronym">BIND</acronym> development work is made
             possible today by the sponsorship
             of several corporations, and by the tireless work efforts of
             numerous individuals.
           </p>
 </div>
 </div>
 <div class="navfooter">
 <hr>
 <table width="100%" summary="Navigation footer">
 <tr>
 <td width="40%" align="left">
 <a accesskey="p" href="Bv9ARM.ch09.html">Prev</a> </td>
 <td width="20%" align="center"> </td>
 <td width="40%" align="right"> <a accesskey="n" href="Bv9ARM.ch11.html">Next</a>
 </td>
 </tr>
 <tr>
 <td width="40%" align="left" valign="top">Appendix A. Release Notes </td>
 <td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
 <td width="40%" align="right" valign="top"> Appendix C. General <acronym class="acronym">DNS</acronym> Reference Information</td>
 </tr>
 </table>
 </div>
-<p style="text-align: center;">BIND 9.9.7 (Extended Support Version)</p>
+<p style="text-align: center;">BIND 9.9.7-P2 (Extended Support Version)</p>
 </body>
 </html>
Index: stable/9/contrib/bind9/doc/arm/Bv9ARM.ch11.html
===================================================================
--- stable/9/contrib/bind9/doc/arm/Bv9ARM.ch11.html	(revision 286123)
+++ stable/9/contrib/bind9/doc/arm/Bv9ARM.ch11.html	(revision 286124)
@@ -1,519 +1,519 @@
 <!--
  - Copyright (C) 2004-2015 Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000-2003 Internet Software Consortium.
  - 
  - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
  - copyright notice and this permission notice appear in all copies.
  - 
  - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
  - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
  - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
  - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
  - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 <!-- $Id$ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>Appendix C. General DNS Reference Information</title>
 <meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
 <link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
 <link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
 <link rel="prev" href="Bv9ARM.ch10.html" title="Appendix B. A Brief History of the DNS and BIND">
 <link rel="next" href="Bv9ARM.ch12.html" title="Appendix D. BIND 9 DNS Library Support">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
 <div class="navheader">
 <table width="100%" summary="Navigation header">
 <tr><th colspan="3" align="center">Appendix C. General <acronym class="acronym">DNS</acronym> Reference Information</th></tr>
 <tr>
 <td width="20%" align="left">
 <a accesskey="p" href="Bv9ARM.ch10.html">Prev</a> </td>
 <th width="60%" align="center"> </th>
 <td width="20%" align="right"> <a accesskey="n" href="Bv9ARM.ch12.html">Next</a>
 </td>
 </tr>
 </table>
 <hr>
 </div>
 <div class="appendix" lang="en">
 <div class="titlepage"><div><div><h2 class="title">
 <a name="Bv9ARM.ch11"></a>Appendix C. General <acronym class="acronym">DNS</acronym> Reference Information</h2></div></div></div>
 <div class="toc">
 <p><b>Table of Contents</b></p>
 <dl>
 <dt><span class="sect1"><a href="Bv9ARM.ch11.html#ipv6addresses">IPv6 addresses (AAAA)</a></span></dt>
 <dt><span class="sect1"><a href="Bv9ARM.ch11.html#bibliography">Bibliography (and Suggested Reading)</a></span></dt>
 <dd><dl>
 <dt><span class="sect2"><a href="Bv9ARM.ch11.html#rfcs">Request for Comments (RFCs)</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch11.html#internet_drafts">Internet Drafts</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch11.html#id2608563">Other Documents About <acronym class="acronym">BIND</acronym></a></span></dt>
 </dl></dd>
 </dl>
 </div>
 <div class="sect1" lang="en">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
 <a name="ipv6addresses"></a>IPv6 addresses (AAAA)</h2></div></div></div>
 <p>
             IPv6 addresses are 128-bit identifiers for interfaces and
             sets of interfaces which were introduced in the <acronym class="acronym">DNS</acronym> to facilitate
             scalable Internet routing. There are three types of addresses: <span class="emphasis"><em>Unicast</em></span>,
             an identifier for a single interface;
             <span class="emphasis"><em>Anycast</em></span>,
             an identifier for a set of interfaces; and <span class="emphasis"><em>Multicast</em></span>,
             an identifier for a set of interfaces. Here we describe the global
             Unicast address scheme. For more information, see RFC 3587,
             "Global Unicast Address Format."
           </p>
 <p>
             IPv6 unicast addresses consist of a
             <span class="emphasis"><em>global routing prefix</em></span>, a
             <span class="emphasis"><em>subnet identifier</em></span>, and an
             <span class="emphasis"><em>interface identifier</em></span>.
           </p>
 <p>
             The global routing prefix is provided by the
             upstream provider or ISP, and (roughly) corresponds to the
             IPv4 <span class="emphasis"><em>network</em></span> section
             of the address range.
 
             The subnet identifier is for local subnetting, much the
             same as subnetting an
             IPv4 /16 network into /24 subnets.
 
             The interface identifier is the address of an individual
             interface on a given network; in IPv6, addresses belong to
             interfaces rather than to machines.
           </p>
 <p>
             The subnetting capability of IPv6 is much more flexible than
             that of IPv4: subnetting can be carried out on bit boundaries,
             in much the same way as Classless InterDomain Routing
             (CIDR), and the DNS PTR representation ("nibble" format)
             makes setting up reverse zones easier.
           </p>
 <p>
             The Interface Identifier must be unique on the local link,
             and is usually generated automatically by the IPv6
             implementation, although it is usually possible to
             override the default setting if necessary.  A typical IPv6
             address might look like:
             <span><strong class="command">2001:db8:201:9:a00:20ff:fe81:2b32</strong></span>
           </p>
 <p>
             IPv6 address specifications often contain long strings
             of zeros, so the architects have included a shorthand for
             specifying
             them. The double colon (`::') indicates the longest possible
             string
             of zeros that can fit, and can be used only once in an address.
           </p>
 </div>
 <div class="sect1" lang="en">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
 <a name="bibliography"></a>Bibliography (and Suggested Reading)</h2></div></div></div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="rfcs"></a>Request for Comments (RFCs)</h3></div></div></div>
 <p>
             Specification documents for the Internet protocol suite, including
             the <acronym class="acronym">DNS</acronym>, are published as part of
             the Request for Comments (RFCs)
             series of technical notes. The standards themselves are defined
             by the Internet Engineering Task Force (IETF) and the Internet
             Engineering Steering Group (IESG). RFCs can be obtained online via FTP at:
           </p>
 <p>
             <a href="ftp://www.isi.edu/in-notes/" target="_top">
               ftp://www.isi.edu/in-notes/RFC<em class="replaceable"><code>xxxx</code></em>.txt
             </a>
           </p>
 <p>
             (where <em class="replaceable"><code>xxxx</code></em> is
             the number of the RFC). RFCs are also available via the Web at:
           </p>
 <p>
             <a href="http://www.ietf.org/rfc/" target="_top">http://www.ietf.org/rfc/</a>.
           </p>
 <div class="bibliography">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="id2605539"></a>Bibliography</h4></div></div></div>
 <div class="bibliodiv">
 <h3 class="title">Standards</h3>
 <div class="biblioentry">
 <a name="id2605549"></a><p>[<abbr class="abbrev">RFC974</abbr>] <span class="author"><span class="firstname">C.</span> <span class="surname">Partridge</span>. </span><span class="title"><i>Mail Routing and the Domain System</i>. </span><span class="pubdate">January 1986. </span></p>
 </div>
 <div class="biblioentry">
 <a name="id2605573"></a><p>[<abbr class="abbrev">RFC1034</abbr>] <span class="author"><span class="firstname">P.V.</span> <span class="surname">Mockapetris</span>. </span><span class="title"><i>Domain Names &#8212; Concepts and Facilities</i>. </span><span class="pubdate">November 1987. </span></p>
 </div>
 <div class="biblioentry">
 <a name="id2605596"></a><p>[<abbr class="abbrev">RFC1035</abbr>] <span class="author"><span class="firstname">P. V.</span> <span class="surname">Mockapetris</span>. </span><span class="title"><i>Domain Names &#8212; Implementation and
                   Specification</i>. </span><span class="pubdate">November 1987. </span></p>
 </div>
 </div>
 <div class="bibliodiv">
 <h3 class="title">
 <a name="proposed_standards"></a>Proposed Standards</h3>
 <div class="biblioentry">
 <a name="id2605633"></a><p>[<abbr class="abbrev">RFC2181</abbr>] <span class="author"><span class="firstname">R., R. Bush</span> <span class="surname">Elz</span>. </span><span class="title"><i>Clarifications to the <acronym class="acronym">DNS</acronym>
                   Specification</i>. </span><span class="pubdate">July 1997. </span></p>
 </div>
 <div class="biblioentry">
 <a name="id2605659"></a><p>[<abbr class="abbrev">RFC2308</abbr>] <span class="author"><span class="firstname">M.</span> <span class="surname">Andrews</span>. </span><span class="title"><i>Negative Caching of <acronym class="acronym">DNS</acronym>
                   Queries</i>. </span><span class="pubdate">March 1998. </span></p>
 </div>
 <div class="biblioentry">
 <a name="id2605685"></a><p>[<abbr class="abbrev">RFC1995</abbr>] <span class="author"><span class="firstname">M.</span> <span class="surname">Ohta</span>. </span><span class="title"><i>Incremental Zone Transfer in <acronym class="acronym">DNS</acronym></i>. </span><span class="pubdate">August 1996. </span></p>
 </div>
 <div class="biblioentry">
 <a name="id2605709"></a><p>[<abbr class="abbrev">RFC1996</abbr>] <span class="author"><span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>A Mechanism for Prompt Notification of Zone Changes</i>. </span><span class="pubdate">August 1996. </span></p>
 </div>
 <div class="biblioentry">
 <a name="id2605733"></a><p>[<abbr class="abbrev">RFC2136</abbr>] <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Vixie</span>, <span class="firstname">S.</span> <span class="surname">Thomson</span>, <span class="firstname">Y.</span> <span class="surname">Rekhter</span>, and <span class="firstname">J.</span> <span class="surname">Bound</span>. </span><span class="title"><i>Dynamic Updates in the Domain Name System</i>. </span><span class="pubdate">April 1997. </span></p>
 </div>
 <div class="biblioentry">
 <a name="id2605788"></a><p>[<abbr class="abbrev">RFC2671</abbr>] <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>Extension Mechanisms for DNS (EDNS0)</i>. </span><span class="pubdate">August 1997. </span></p>
 </div>
 <div class="biblioentry">
 <a name="id2605815"></a><p>[<abbr class="abbrev">RFC2672</abbr>] <span class="authorgroup"><span class="firstname">M.</span> <span class="surname">Crawford</span>. </span><span class="title"><i>Non-Terminal DNS Name Redirection</i>. </span><span class="pubdate">August 1999. </span></p>
 </div>
 <div class="biblioentry">
 <a name="id2605842"></a><p>[<abbr class="abbrev">RFC2845</abbr>] <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Vixie</span>, <span class="firstname">O.</span> <span class="surname">Gudmundsson</span>, <span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>, and <span class="firstname">B.</span> <span class="surname">Wellington</span>. </span><span class="title"><i>Secret Key Transaction Authentication for <acronym class="acronym">DNS</acronym> (TSIG)</i>. </span><span class="pubdate">May 2000. </span></p>
 </div>
 <div class="biblioentry">
 <a name="id2605904"></a><p>[<abbr class="abbrev">RFC2930</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>Secret Key Establishment for DNS (TKEY RR)</i>. </span><span class="pubdate">September 2000. </span></p>
 </div>
 <div class="biblioentry">
 <a name="id2605933"></a><p>[<abbr class="abbrev">RFC2931</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>DNS Request and Transaction Signatures (SIG(0)s)</i>. </span><span class="pubdate">September 2000. </span></p>
 </div>
 <div class="biblioentry">
 <a name="id2605963"></a><p>[<abbr class="abbrev">RFC3007</abbr>] <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Wellington</span>. </span><span class="title"><i>Secure Domain Name System (DNS) Dynamic Update</i>. </span><span class="pubdate">November 2000. </span></p>
 </div>
 <div class="biblioentry">
 <a name="id2605990"></a><p>[<abbr class="abbrev">RFC3645</abbr>] <span class="authorgroup"><span class="firstname">S.</span> <span class="surname">Kwan</span>, <span class="firstname">P.</span> <span class="surname">Garg</span>, <span class="firstname">J.</span> <span class="surname">Gilroy</span>, <span class="firstname">L.</span> <span class="surname">Esibov</span>, <span class="firstname">J.</span> <span class="surname">Westhead</span>, and <span class="firstname">R.</span> <span class="surname">Hall</span>. </span><span class="title"><i>Generic Security Service Algorithm for Secret
                        Key Transaction Authentication for DNS
                        (GSS-TSIG)</i>. </span><span class="pubdate">October 2003. </span></p>
 </div>
 </div>
 <div class="bibliodiv">
 <h3 class="title">
 <acronym class="acronym">DNS</acronym> Security Proposed Standards</h3>
 <div class="biblioentry">
 <a name="id2606072"></a><p>[<abbr class="abbrev">RFC3225</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Conrad</span>. </span><span class="title"><i>Indicating Resolver Support of DNSSEC</i>. </span><span class="pubdate">December 2001. </span></p>
 </div>
 <div class="biblioentry">
 <a name="id2606099"></a><p>[<abbr class="abbrev">RFC3833</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Atkins</span> and <span class="firstname">R.</span> <span class="surname">Austein</span>. </span><span class="title"><i>Threat Analysis of the Domain Name System (DNS)</i>. </span><span class="pubdate">August 2004. </span></p>
 </div>
 <div class="biblioentry">
 <a name="id2606135"></a><p>[<abbr class="abbrev">RFC4033</abbr>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Arends</span>, <span class="firstname">R.</span> <span class="surname">Austein</span>, <span class="firstname">M.</span> <span class="surname">Larson</span>, <span class="firstname">D.</span> <span class="surname">Massey</span>, and <span class="firstname">S.</span> <span class="surname">Rose</span>. </span><span class="title"><i>DNS Security Introduction and Requirements</i>. </span><span class="pubdate">March 2005. </span></p>
 </div>
 <div class="biblioentry">
 <a name="id2606200"></a><p>[<abbr class="abbrev">RFC4034</abbr>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Arends</span>, <span class="firstname">R.</span> <span class="surname">Austein</span>, <span class="firstname">M.</span> <span class="surname">Larson</span>, <span class="firstname">D.</span> <span class="surname">Massey</span>, and <span class="firstname">S.</span> <span class="surname">Rose</span>. </span><span class="title"><i>Resource Records for the DNS Security Extensions</i>. </span><span class="pubdate">March 2005. </span></p>
 </div>
 <div class="biblioentry">
 <a name="id2606265"></a><p>[<abbr class="abbrev">RFC4035</abbr>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Arends</span>, <span class="firstname">R.</span> <span class="surname">Austein</span>, <span class="firstname">M.</span> <span class="surname">Larson</span>, <span class="firstname">D.</span> <span class="surname">Massey</span>, and <span class="firstname">S.</span> <span class="surname">Rose</span>. </span><span class="title"><i>Protocol Modifications for the DNS
                        Security Extensions</i>. </span><span class="pubdate">March 2005. </span></p>
 </div>
 </div>
 <div class="bibliodiv">
 <h3 class="title">Other Important RFCs About <acronym class="acronym">DNS</acronym>
                 Implementation</h3>
 <div class="biblioentry">
 <a name="id2606339"></a><p>[<abbr class="abbrev">RFC1535</abbr>] <span class="author"><span class="firstname">E.</span> <span class="surname">Gavron</span>. </span><span class="title"><i>A Security Problem and Proposed Correction With Widely
                   Deployed <acronym class="acronym">DNS</acronym> Software.</i>. </span><span class="pubdate">October 1993. </span></p>
 </div>
 <div class="biblioentry">
 <a name="id2606364"></a><p>[<abbr class="abbrev">RFC1536</abbr>] <span class="authorgroup"><span class="firstname">A.</span> <span class="surname">Kumar</span>, <span class="firstname">J.</span> <span class="surname">Postel</span>, <span class="firstname">C.</span> <span class="surname">Neuman</span>, <span class="firstname">P.</span> <span class="surname">Danzig</span>, and <span class="firstname">S.</span> <span class="surname">Miller</span>. </span><span class="title"><i>Common <acronym class="acronym">DNS</acronym> Implementation
                   Errors and Suggested Fixes</i>. </span><span class="pubdate">October 1993. </span></p>
 </div>
 <div class="biblioentry">
 <a name="id2606433"></a><p>[<abbr class="abbrev">RFC1982</abbr>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Elz</span> and <span class="firstname">R.</span> <span class="surname">Bush</span>. </span><span class="title"><i>Serial Number Arithmetic</i>. </span><span class="pubdate">August 1996. </span></p>
 </div>
 <div class="biblioentry">
 <a name="id2606468"></a><p>[<abbr class="abbrev">RFC4074</abbr>] <span class="authorgroup"><span class="firstname">Y.</span> <span class="surname">Morishita</span> and <span class="firstname">T.</span> <span class="surname">Jinmei</span>. </span><span class="title"><i>Common Misbehaviour Against <acronym class="acronym">DNS</acronym>
                 Queries for IPv6 Addresses</i>. </span><span class="pubdate">May 2005. </span></p>
 </div>
 </div>
 <div class="bibliodiv">
 <h3 class="title">Resource Record Types</h3>
 <div class="biblioentry">
 <a name="id2606514"></a><p>[<abbr class="abbrev">RFC1183</abbr>] <span class="authorgroup"><span class="firstname">C.F.</span> <span class="surname">Everhart</span>, <span class="firstname">L. A.</span> <span class="surname">Mamakos</span>, <span class="firstname">R.</span> <span class="surname">Ullmann</span>, and <span class="firstname">P.</span> <span class="surname">Mockapetris</span>. </span><span class="title"><i>New <acronym class="acronym">DNS</acronym> RR Definitions</i>. </span><span class="pubdate">October 1990. </span></p>
 </div>
 <div class="biblioentry">
 <a name="id2606571"></a><p>[<abbr class="abbrev">RFC1706</abbr>] <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Manning</span> and <span class="firstname">R.</span> <span class="surname">Colella</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> NSAP Resource Records</i>. </span><span class="pubdate">October 1994. </span></p>
 </div>
 <div class="biblioentry">
 <a name="id2606609"></a><p>[<abbr class="abbrev">RFC2168</abbr>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Daniel</span> and <span class="firstname">M.</span> <span class="surname">Mealling</span>. </span><span class="title"><i>Resolution of Uniform Resource Identifiers using
                   the Domain Name System</i>. </span><span class="pubdate">June 1997. </span></p>
 </div>
 <div class="biblioentry">
 <a name="id2606644"></a><p>[<abbr class="abbrev">RFC1876</abbr>] <span class="authorgroup"><span class="firstname">C.</span> <span class="surname">Davis</span>, <span class="firstname">P.</span> <span class="surname">Vixie</span>, <span class="firstname">T.</span>, and <span class="firstname">I.</span> <span class="surname">Dickinson</span>. </span><span class="title"><i>A Means for Expressing Location Information in the
                   Domain
                   Name System</i>. </span><span class="pubdate">January 1996. </span></p>
 </div>
 <div class="biblioentry">
 <a name="id2606766"></a><p>[<abbr class="abbrev">RFC2052</abbr>] <span class="authorgroup"><span class="firstname">A.</span> <span class="surname">Gulbrandsen</span> and <span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>A <acronym class="acronym">DNS</acronym> RR for Specifying the
                   Location of
                   Services.</i>. </span><span class="pubdate">October 1996. </span></p>
 </div>
 <div class="biblioentry">
 <a name="id2606805"></a><p>[<abbr class="abbrev">RFC2163</abbr>] <span class="author"><span class="firstname">A.</span> <span class="surname">Allocchio</span>. </span><span class="title"><i>Using the Internet <acronym class="acronym">DNS</acronym> to
                   Distribute MIXER
                   Conformant Global Address Mapping</i>. </span><span class="pubdate">January 1998. </span></p>
 </div>
 <div class="biblioentry">
 <a name="id2606830"></a><p>[<abbr class="abbrev">RFC2230</abbr>] <span class="author"><span class="firstname">R.</span> <span class="surname">Atkinson</span>. </span><span class="title"><i>Key Exchange Delegation Record for the <acronym class="acronym">DNS</acronym></i>. </span><span class="pubdate">October 1997. </span></p>
 </div>
 <div class="biblioentry">
 <a name="id2606856"></a><p>[<abbr class="abbrev">RFC2536</abbr>] <span class="author"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>DSA KEYs and SIGs in the Domain Name System (DNS)</i>. </span><span class="pubdate">March 1999. </span></p>
 </div>
 <div class="biblioentry">
 <a name="id2606883"></a><p>[<abbr class="abbrev">RFC2537</abbr>] <span class="author"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>RSA/MD5 KEYs and SIGs in the Domain Name System (DNS)</i>. </span><span class="pubdate">March 1999. </span></p>
 </div>
 <div class="biblioentry">
 <a name="id2606909"></a><p>[<abbr class="abbrev">RFC2538</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span> and <span class="firstname">O.</span> <span class="surname">Gudmundsson</span>. </span><span class="title"><i>Storing Certificates in the Domain Name System (DNS)</i>. </span><span class="pubdate">March 1999. </span></p>
 </div>
 <div class="biblioentry">
 <a name="id2606949"></a><p>[<abbr class="abbrev">RFC2539</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>Storage of Diffie-Hellman Keys in the Domain Name System (DNS)</i>. </span><span class="pubdate">March 1999. </span></p>
 </div>
 <div class="biblioentry">
 <a name="id2606979"></a><p>[<abbr class="abbrev">RFC2540</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>Detached Domain Name System (DNS) Information</i>. </span><span class="pubdate">March 1999. </span></p>
 </div>
 <div class="biblioentry">
 <a name="id2607009"></a><p>[<abbr class="abbrev">RFC2782</abbr>] <span class="author"><span class="firstname">A.</span> <span class="surname">Gulbrandsen</span>. </span><span class="author"><span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="author"><span class="firstname">L.</span> <span class="surname">Esibov</span>. </span><span class="title"><i>A DNS RR for specifying the location of services (DNS SRV)</i>. </span><span class="pubdate">February 2000. </span></p>
 </div>
 <div class="biblioentry">
 <a name="id2607051"></a><p>[<abbr class="abbrev">RFC2915</abbr>] <span class="author"><span class="firstname">M.</span> <span class="surname">Mealling</span>. </span><span class="author"><span class="firstname">R.</span> <span class="surname">Daniel</span>. </span><span class="title"><i>The Naming Authority Pointer (NAPTR) DNS Resource Record</i>. </span><span class="pubdate">September 2000. </span></p>
 </div>
 <div class="biblioentry">
 <a name="id2607084"></a><p>[<abbr class="abbrev">RFC3110</abbr>] <span class="author"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System (DNS)</i>. </span><span class="pubdate">May 2001. </span></p>
 </div>
 <div class="biblioentry">
 <a name="id2607111"></a><p>[<abbr class="abbrev">RFC3123</abbr>] <span class="author"><span class="firstname">P.</span> <span class="surname">Koch</span>. </span><span class="title"><i>A DNS RR Type for Lists of Address Prefixes (APL RR)</i>. </span><span class="pubdate">June 2001. </span></p>
 </div>
 <div class="biblioentry">
 <a name="id2607134"></a><p>[<abbr class="abbrev">RFC3596</abbr>] <span class="authorgroup"><span class="firstname">S.</span> <span class="surname">Thomson</span>, <span class="firstname">C.</span> <span class="surname">Huitema</span>, <span class="firstname">V.</span> <span class="surname">Ksinant</span>, and <span class="firstname">M.</span> <span class="surname">Souissi</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> Extensions to support IP
                   version 6</i>. </span><span class="pubdate">October 2003. </span></p>
 </div>
 <div class="biblioentry">
 <a name="id2607192"></a><p>[<abbr class="abbrev">RFC3597</abbr>] <span class="author"><span class="firstname">A.</span> <span class="surname">Gustafsson</span>. </span><span class="title"><i>Handling of Unknown DNS Resource Record (RR) Types</i>. </span><span class="pubdate">September 2003. </span></p>
 </div>
 </div>
 <div class="bibliodiv">
 <h3 class="title">
 <acronym class="acronym">DNS</acronym> and the Internet</h3>
 <div class="biblioentry">
 <a name="id2607224"></a><p>[<abbr class="abbrev">RFC1101</abbr>] <span class="author"><span class="firstname">P. V.</span> <span class="surname">Mockapetris</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> Encoding of Network Names
                   and Other Types</i>. </span><span class="pubdate">April 1989. </span></p>
 </div>
 <div class="biblioentry">
 <a name="id2607250"></a><p>[<abbr class="abbrev">RFC1123</abbr>] <span class="author"><span class="surname">Braden</span>. </span><span class="title"><i>Requirements for Internet Hosts - Application and
                   Support</i>. </span><span class="pubdate">October 1989. </span></p>
 </div>
 <div class="biblioentry">
 <a name="id2607272"></a><p>[<abbr class="abbrev">RFC1591</abbr>] <span class="author"><span class="firstname">J.</span> <span class="surname">Postel</span>. </span><span class="title"><i>Domain Name System Structure and Delegation</i>. </span><span class="pubdate">March 1994. </span></p>
 </div>
 <div class="biblioentry">
 <a name="id2607296"></a><p>[<abbr class="abbrev">RFC2317</abbr>] <span class="authorgroup"><span class="firstname">H.</span> <span class="surname">Eidnes</span>, <span class="firstname">G.</span> <span class="surname">de Groot</span>, and <span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>Classless IN-ADDR.ARPA Delegation</i>. </span><span class="pubdate">March 1998. </span></p>
 </div>
 <div class="biblioentry">
 <a name="id2607410"></a><p>[<abbr class="abbrev">RFC2826</abbr>] <span class="authorgroup"><span class="surname">Internet Architecture Board</span>. </span><span class="title"><i>IAB Technical Comment on the Unique DNS Root</i>. </span><span class="pubdate">May 2000. </span></p>
 </div>
 <div class="biblioentry">
 <a name="id2607433"></a><p>[<abbr class="abbrev">RFC2929</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>, <span class="firstname">E.</span> <span class="surname">Brunner-Williams</span>, and <span class="firstname">B.</span> <span class="surname">Manning</span>. </span><span class="title"><i>Domain Name System (DNS) IANA Considerations</i>. </span><span class="pubdate">September 2000. </span></p>
 </div>
 </div>
 <div class="bibliodiv">
 <h3 class="title">
 <acronym class="acronym">DNS</acronym> Operations</h3>
 <div class="biblioentry">
 <a name="id2607491"></a><p>[<abbr class="abbrev">RFC1033</abbr>] <span class="author"><span class="firstname">M.</span> <span class="surname">Lottor</span>. </span><span class="title"><i>Domain administrators operations guide.</i>. </span><span class="pubdate">November 1987. </span></p>
 </div>
 <div class="biblioentry">
 <a name="id2607514"></a><p>[<abbr class="abbrev">RFC1537</abbr>] <span class="author"><span class="firstname">P.</span> <span class="surname">Beertema</span>. </span><span class="title"><i>Common <acronym class="acronym">DNS</acronym> Data File
                   Configuration Errors</i>. </span><span class="pubdate">October 1993. </span></p>
 </div>
 <div class="biblioentry">
 <a name="id2607541"></a><p>[<abbr class="abbrev">RFC1912</abbr>] <span class="author"><span class="firstname">D.</span> <span class="surname">Barr</span>. </span><span class="title"><i>Common <acronym class="acronym">DNS</acronym> Operational and
                   Configuration Errors</i>. </span><span class="pubdate">February 1996. </span></p>
 </div>
 <div class="biblioentry">
 <a name="id2607568"></a><p>[<abbr class="abbrev">RFC2010</abbr>] <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Manning</span> and <span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>Operational Criteria for Root Name Servers.</i>. </span><span class="pubdate">October 1996. </span></p>
 </div>
 <div class="biblioentry">
 <a name="id2607604"></a><p>[<abbr class="abbrev">RFC2219</abbr>] <span class="authorgroup"><span class="firstname">M.</span> <span class="surname">Hamilton</span> and <span class="firstname">R.</span> <span class="surname">Wright</span>. </span><span class="title"><i>Use of <acronym class="acronym">DNS</acronym> Aliases for
                   Network Services.</i>. </span><span class="pubdate">October 1997. </span></p>
 </div>
 </div>
 <div class="bibliodiv">
 <h3 class="title">Internationalized Domain Names</h3>
 <div class="biblioentry">
 <a name="id2607650"></a><p>[<abbr class="abbrev">RFC2825</abbr>] <span class="authorgroup"><span class="surname">IAB</span> and <span class="firstname">R.</span> <span class="surname">Daigle</span>. </span><span class="title"><i>A Tangled Web: Issues of I18N, Domain Names,
                        and the Other Internet protocols</i>. </span><span class="pubdate">May 2000. </span></p>
 </div>
 <div class="biblioentry">
 <a name="id2607682"></a><p>[<abbr class="abbrev">RFC3490</abbr>] <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Faltstrom</span>, <span class="firstname">P.</span> <span class="surname">Hoffman</span>, and <span class="firstname">A.</span> <span class="surname">Costello</span>. </span><span class="title"><i>Internationalizing Domain Names in Applications (IDNA)</i>. </span><span class="pubdate">March 2003. </span></p>
 </div>
 <div class="biblioentry">
 <a name="id2607728"></a><p>[<abbr class="abbrev">RFC3491</abbr>] <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Hoffman</span> and <span class="firstname">M.</span> <span class="surname">Blanchet</span>. </span><span class="title"><i>Nameprep: A Stringprep Profile for Internationalized Domain Names</i>. </span><span class="pubdate">March 2003. </span></p>
 </div>
 <div class="biblioentry">
 <a name="id2607763"></a><p>[<abbr class="abbrev">RFC3492</abbr>] <span class="authorgroup"><span class="firstname">A.</span> <span class="surname">Costello</span>. </span><span class="title"><i>Punycode: A Bootstring encoding of Unicode
                        for Internationalized Domain Names in
                        Applications (IDNA)</i>. </span><span class="pubdate">March 2003. </span></p>
 </div>
 </div>
 <div class="bibliodiv">
 <h3 class="title">Other <acronym class="acronym">DNS</acronym>-related RFCs</h3>
 <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
 <h3 class="title">Note</h3>
 <p>
                   Note: the following list of RFCs, although
                   <acronym class="acronym">DNS</acronym>-related, are not
                   concerned with implementing software.
                 </p>
 </div>
 <div class="biblioentry">
 <a name="id2607808"></a><p>[<abbr class="abbrev">RFC1464</abbr>] <span class="author"><span class="firstname">R.</span> <span class="surname">Rosenbaum</span>. </span><span class="title"><i>Using the Domain Name System To Store Arbitrary String
                   Attributes</i>. </span><span class="pubdate">May 1993. </span></p>
 </div>
 <div class="biblioentry">
 <a name="id2607830"></a><p>[<abbr class="abbrev">RFC1713</abbr>] <span class="author"><span class="firstname">A.</span> <span class="surname">Romao</span>. </span><span class="title"><i>Tools for <acronym class="acronym">DNS</acronym> Debugging</i>. </span><span class="pubdate">November 1994. </span></p>
 </div>
 <div class="biblioentry">
 <a name="id2607856"></a><p>[<abbr class="abbrev">RFC1794</abbr>] <span class="author"><span class="firstname">T.</span> <span class="surname">Brisco</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> Support for Load
                   Balancing</i>. </span><span class="pubdate">April 1995. </span></p>
 </div>
 <div class="biblioentry">
 <a name="id2607881"></a><p>[<abbr class="abbrev">RFC2240</abbr>] <span class="author"><span class="firstname">O.</span> <span class="surname">Vaughan</span>. </span><span class="title"><i>A Legal Basis for Domain Name Allocation</i>. </span><span class="pubdate">November 1997. </span></p>
 </div>
 <div class="biblioentry">
 <a name="id2607905"></a><p>[<abbr class="abbrev">RFC2345</abbr>] <span class="authorgroup"><span class="firstname">J.</span> <span class="surname">Klensin</span>, <span class="firstname">T.</span> <span class="surname">Wolf</span>, and <span class="firstname">G.</span> <span class="surname">Oglesby</span>. </span><span class="title"><i>Domain Names and Company Name Retrieval</i>. </span><span class="pubdate">May 1998. </span></p>
 </div>
 <div class="biblioentry">
 <a name="id2607950"></a><p>[<abbr class="abbrev">RFC2352</abbr>] <span class="author"><span class="firstname">O.</span> <span class="surname">Vaughan</span>. </span><span class="title"><i>A Convention For Using Legal Names as Domain Names</i>. </span><span class="pubdate">May 1998. </span></p>
 </div>
 <div class="biblioentry">
 <a name="id2607974"></a><p>[<abbr class="abbrev">RFC3071</abbr>] <span class="authorgroup"><span class="firstname">J.</span> <span class="surname">Klensin</span>. </span><span class="title"><i>Reflections on the DNS, RFC 1591, and Categories of Domains</i>. </span><span class="pubdate">February 2001. </span></p>
 </div>
 <div class="biblioentry">
 <a name="id2608001"></a><p>[<abbr class="abbrev">RFC3258</abbr>] <span class="authorgroup"><span class="firstname">T.</span> <span class="surname">Hardie</span>. </span><span class="title"><i>Distributing Authoritative Name Servers via
                        Shared Unicast Addresses</i>. </span><span class="pubdate">April 2002. </span></p>
 </div>
 <div class="biblioentry">
 <a name="id2608026"></a><p>[<abbr class="abbrev">RFC3901</abbr>] <span class="authorgroup"><span class="firstname">A.</span> <span class="surname">Durand</span> and <span class="firstname">J.</span> <span class="surname">Ihren</span>. </span><span class="title"><i>DNS IPv6 Transport Operational Guidelines</i>. </span><span class="pubdate">September 2004. </span></p>
 </div>
 </div>
 <div class="bibliodiv">
 <h3 class="title">Obsolete and Unimplemented Experimental RFC</h3>
 <div class="biblioentry">
 <a name="id2608070"></a><p>[<abbr class="abbrev">RFC1712</abbr>] <span class="authorgroup"><span class="firstname">C.</span> <span class="surname">Farrell</span>, <span class="firstname">M.</span> <span class="surname">Schulze</span>, <span class="firstname">S.</span> <span class="surname">Pleitner</span>, and <span class="firstname">D.</span> <span class="surname">Baldoni</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> Encoding of Geographical
                   Location</i>. </span><span class="pubdate">November 1994. </span></p>
 </div>
 <div class="biblioentry">
 <a name="id2608128"></a><p>[<abbr class="abbrev">RFC2673</abbr>] <span class="authorgroup"><span class="firstname">M.</span> <span class="surname">Crawford</span>. </span><span class="title"><i>Binary Labels in the Domain Name System</i>. </span><span class="pubdate">August 1999. </span></p>
 </div>
 <div class="biblioentry">
 <a name="id2608154"></a><p>[<abbr class="abbrev">RFC2874</abbr>] <span class="authorgroup"><span class="firstname">M.</span> <span class="surname">Crawford</span> and <span class="firstname">C.</span> <span class="surname">Huitema</span>. </span><span class="title"><i>DNS Extensions to Support IPv6 Address Aggregation
                        and Renumbering</i>. </span><span class="pubdate">July 2000. </span></p>
 </div>
 </div>
 <div class="bibliodiv">
 <h3 class="title">Obsoleted DNS Security RFCs</h3>
 <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
 <h3 class="title">Note</h3>
 <p>
                   Most of these have been consolidated into RFC4033,
                   RFC4034 and RFC4035 which collectively describe DNSSECbis.
                 </p>
 </div>
 <div class="biblioentry">
 <a name="id2608202"></a><p>[<abbr class="abbrev">RFC2065</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span> and <span class="firstname">C.</span> <span class="surname">Kaufman</span>. </span><span class="title"><i>Domain Name System Security Extensions</i>. </span><span class="pubdate">January 1997. </span></p>
 </div>
 <div class="biblioentry">
 <a name="id2608242"></a><p>[<abbr class="abbrev">RFC2137</abbr>] <span class="author"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>Secure Domain Name System Dynamic Update</i>. </span><span class="pubdate">April 1997. </span></p>
 </div>
 <div class="biblioentry">
 <a name="id2608268"></a><p>[<abbr class="abbrev">RFC2535</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>Domain Name System Security Extensions</i>. </span><span class="pubdate">March 1999. </span></p>
 </div>
 <div class="biblioentry">
 <a name="id2608298"></a><p>[<abbr class="abbrev">RFC3008</abbr>] <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Wellington</span>. </span><span class="title"><i>Domain Name System Security (DNSSEC)
                        Signing Authority</i>. </span><span class="pubdate">November 2000. </span></p>
 </div>
 <div class="biblioentry">
 <a name="id2608324"></a><p>[<abbr class="abbrev">RFC3090</abbr>] <span class="authorgroup"><span class="firstname">E.</span> <span class="surname">Lewis</span>. </span><span class="title"><i>DNS Security Extension Clarification on Zone Status</i>. </span><span class="pubdate">March 2001. </span></p>
 </div>
 <div class="biblioentry">
 <a name="id2608350"></a><p>[<abbr class="abbrev">RFC3445</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Massey</span> and <span class="firstname">S.</span> <span class="surname">Rose</span>. </span><span class="title"><i>Limiting the Scope of the KEY Resource Record (RR)</i>. </span><span class="pubdate">December 2002. </span></p>
 </div>
 <div class="biblioentry">
 <a name="id2608387"></a><p>[<abbr class="abbrev">RFC3655</abbr>] <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Wellington</span> and <span class="firstname">O.</span> <span class="surname">Gudmundsson</span>. </span><span class="title"><i>Redefinition of DNS Authenticated Data (AD) bit</i>. </span><span class="pubdate">November 2003. </span></p>
 </div>
 <div class="biblioentry">
 <a name="id2608423"></a><p>[<abbr class="abbrev">RFC3658</abbr>] <span class="authorgroup"><span class="firstname">O.</span> <span class="surname">Gudmundsson</span>. </span><span class="title"><i>Delegation Signer (DS) Resource Record (RR)</i>. </span><span class="pubdate">December 2003. </span></p>
 </div>
 <div class="biblioentry">
 <a name="id2608450"></a><p>[<abbr class="abbrev">RFC3755</abbr>] <span class="authorgroup"><span class="firstname">S.</span> <span class="surname">Weiler</span>. </span><span class="title"><i>Legacy Resolver Compatibility for Delegation Signer (DS)</i>. </span><span class="pubdate">May 2004. </span></p>
 </div>
 <div class="biblioentry">
 <a name="id2608476"></a><p>[<abbr class="abbrev">RFC3757</abbr>] <span class="authorgroup"><span class="firstname">O.</span> <span class="surname">Kolkman</span>, <span class="firstname">J.</span> <span class="surname">Schlyter</span>, and <span class="firstname">E.</span> <span class="surname">Lewis</span>. </span><span class="title"><i>Domain Name System KEY (DNSKEY) Resource Record
                       (RR) Secure Entry Point (SEP) Flag</i>. </span><span class="pubdate">April 2004. </span></p>
 </div>
 <div class="biblioentry">
 <a name="id2608521"></a><p>[<abbr class="abbrev">RFC3845</abbr>] <span class="authorgroup"><span class="firstname">J.</span> <span class="surname">Schlyter</span>. </span><span class="title"><i>DNS Security (DNSSEC) NextSECure (NSEC) RDATA Format</i>. </span><span class="pubdate">August 2004. </span></p>
 </div>
 </div>
 </div>
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="internet_drafts"></a>Internet Drafts</h3></div></div></div>
 <p>
             Internet Drafts (IDs) are rough-draft working documents of
             the Internet Engineering Task Force. They are, in essence, RFCs
             in the preliminary stages of development. Implementors are
             cautioned not
             to regard IDs as archival, and they should not be quoted or cited
             in any formal documents unless accompanied by the disclaimer that
             they are "works in progress." IDs have a lifespan of six months
             after which they are deleted unless updated by their authors.
           </p>
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="id2608563"></a>Other Documents About <acronym class="acronym">BIND</acronym>
 </h3></div></div></div>
 <p></p>
 <div class="bibliography">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="id2608572"></a>Bibliography</h4></div></div></div>
 <div class="biblioentry">
 <a name="id2608574"></a><p><span class="authorgroup"><span class="firstname">Paul</span> <span class="surname">Albitz</span> and <span class="firstname">Cricket</span> <span class="surname">Liu</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> and <acronym class="acronym">BIND</acronym></i>. </span><span class="copyright">Copyright © 1998 Sebastopol, CA: O'Reilly and Associates. </span></p>
 </div>
 </div>
 </div>
 </div>
 </div>
 <div class="navfooter">
 <hr>
 <table width="100%" summary="Navigation footer">
 <tr>
 <td width="40%" align="left">
 <a accesskey="p" href="Bv9ARM.ch10.html">Prev</a> </td>
 <td width="20%" align="center"> </td>
 <td width="40%" align="right"> <a accesskey="n" href="Bv9ARM.ch12.html">Next</a>
 </td>
 </tr>
 <tr>
 <td width="40%" align="left" valign="top">Appendix B. A Brief History of the <acronym class="acronym">DNS</acronym> and <acronym class="acronym">BIND</acronym> </td>
 <td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
 <td width="40%" align="right" valign="top"> Appendix D. BIND 9 DNS Library Support</td>
 </tr>
 </table>
 </div>
-<p style="text-align: center;">BIND 9.9.7 (Extended Support Version)</p>
+<p style="text-align: center;">BIND 9.9.7-P2 (Extended Support Version)</p>
 </body>
 </html>
Index: stable/9/contrib/bind9/doc/arm/Bv9ARM.ch12.html
===================================================================
--- stable/9/contrib/bind9/doc/arm/Bv9ARM.ch12.html	(revision 286123)
+++ stable/9/contrib/bind9/doc/arm/Bv9ARM.ch12.html	(revision 286124)
@@ -1,545 +1,545 @@
 <!--
  - Copyright (C) 2004-2015 Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000-2003 Internet Software Consortium.
  - 
  - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
  - copyright notice and this permission notice appear in all copies.
  - 
  - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
  - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
  - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
  - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
  - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 <!-- $Id$ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>Appendix D. BIND 9 DNS Library Support</title>
 <meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
 <link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
 <link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
 <link rel="prev" href="Bv9ARM.ch11.html" title="Appendix C. General DNS Reference Information">
 <link rel="next" href="Bv9ARM.ch13.html" title="Manual pages">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
 <div class="navheader">
 <table width="100%" summary="Navigation header">
 <tr><th colspan="3" align="center">Appendix D. BIND 9 DNS Library Support</th></tr>
 <tr>
 <td width="20%" align="left">
 <a accesskey="p" href="Bv9ARM.ch11.html">Prev</a> </td>
 <th width="60%" align="center"> </th>
 <td width="20%" align="right"> <a accesskey="n" href="Bv9ARM.ch13.html">Next</a>
 </td>
 </tr>
 </table>
 <hr>
 </div>
 <div class="appendix" lang="en">
 <div class="titlepage"><div><div><h2 class="title">
 <a name="Bv9ARM.ch12"></a>Appendix D. BIND 9 DNS Library Support</h2></div></div></div>
 <div class="toc">
 <p><b>Table of Contents</b></p>
 <dl>
 <dt><span class="sect1"><a href="Bv9ARM.ch12.html#bind9.library">BIND 9 DNS Library Support</a></span></dt>
 <dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch12.html#id2611396">Prerequisite</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch12.html#id2610723">Compilation</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch12.html#id2610747">Installation</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch12.html#id2610778">Known Defects/Restrictions</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch12.html#id2610855">The dns.conf File</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch12.html#id2610882">Sample Applications</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch12.html#id2611718">Library References</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch12.html#id2611115">Prerequisite</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch12.html#id2611125">Compilation</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch12.html#id2609306">Installation</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch12.html#id2609337">Known Defects/Restrictions</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch12.html#id2610301">The dns.conf File</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch12.html#id2610328">Sample Applications</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch12.html#id2611437">Library References</a></span></dt>
 </dl></dd>
 </dl>
 </div>
 <div class="sect1" lang="en">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
 <a name="bind9.library"></a>BIND 9 DNS Library Support</h2></div></div></div>
 <p>This version of BIND 9 "exports" its internal libraries so
   that they can be used by third-party applications more easily (we
   call them "export" libraries in this document). In addition to
   all major DNS-related APIs BIND 9 is currently using, the export
   libraries provide the following features:</p>
 <div class="itemizedlist"><ul type="disc">
 <li><p>The newly created "DNS client" module. This is a higher
       level API that provides an interface to name resolution,
       single DNS transaction with a particular server, and dynamic
       update. Regarding name resolution, it supports advanced
       features such as DNSSEC validation and caching. This module
       supports both synchronous and asynchronous mode.</p></li>
 <li><p>The new "IRS" (Information Retrieval System) library.
       It provides an interface to parse the traditional resolv.conf
       file and more advanced, DNS-specific configuration file for
       the rest of this package (see the description for the
       dns.conf file below).</p></li>
 <li><p>As part of the IRS library, newly implemented standard
       address-name mapping functions, getaddrinfo() and
       getnameinfo(), are provided. They use the DNSSEC-aware
       validating resolver backend, and could use other advanced
       features of the BIND 9 libraries such as caching. The
       getaddrinfo() function resolves both A and AAAA RRs
       concurrently (when the address family is unspecified).</p></li>
 <li><p>An experimental framework to support other event
       libraries than BIND 9's internal event task system.</p></li>
 </ul></div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2611396"></a>Prerequisite</h3></div></div></div>
+<a name="id2611115"></a>Prerequisite</h3></div></div></div>
 <p>GNU make is required to build the export libraries (other
   part of BIND 9 can still be built with other types of make). In
   the reminder of this document, "make" means GNU make. Note that
   in some platforms you may need to invoke a different command name
   than "make" (e.g. "gmake") to indicate it's GNU make.</p>
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2610723"></a>Compilation</h3></div></div></div>
+<a name="id2611125"></a>Compilation</h3></div></div></div>
 <pre class="screen">
 $ <strong class="userinput"><code>./configure --enable-exportlib <em class="replaceable"><code>[other flags]</code></em></code></strong>
 $ <strong class="userinput"><code>make</code></strong>
 </pre>
 <p>
   This will create (in addition to usual BIND 9 programs) and a
   separate set of libraries under the lib/export directory. For
   example, <code class="filename">lib/export/dns/libdns.a</code> is the archive file of the
   export version of the BIND 9 DNS library. Sample application
   programs using the libraries will also be built under the
   lib/export/samples directory (see below).</p>
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2610747"></a>Installation</h3></div></div></div>
+<a name="id2609306"></a>Installation</h3></div></div></div>
 <pre class="screen">
 $ <strong class="userinput"><code>cd lib/export</code></strong>
 $ <strong class="userinput"><code>make install</code></strong>
 </pre>
 <p>
   This will install library object files under the directory
   specified by the --with-export-libdir configure option (default:
   EPREFIX/lib/bind9), and header files under the directory
   specified by the --with-export-includedir configure option
   (default: PREFIX/include/bind9).
   Root privilege is normally required.
   "<span><strong class="command">make install</strong></span>" at the top directory will do the
   same.
   </p>
 <p>
   To see how to build your own
   application after the installation, see
   <code class="filename">lib/export/samples/Makefile-postinstall.in</code>.</p>
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2610778"></a>Known Defects/Restrictions</h3></div></div></div>
+<a name="id2609337"></a>Known Defects/Restrictions</h3></div></div></div>
 <div class="itemizedlist"><ul type="disc">
 <li><p>Currently, win32 is not supported for the export
       library. (Normal BIND 9 application can be built as
       before).</p></li>
 <li>
 <p>The "fixed" RRset order is not (currently) supported in
       the export library. If you want to use "fixed" RRset order
       for, e.g. <span><strong class="command">named</strong></span> while still building the
       export library even without the fixed order support, build
       them separately:
       </p>
 <pre class="screen">
 $ <strong class="userinput"><code>./configure --enable-fixed-rrset <em class="replaceable"><code>[other flags, but not --enable-exportlib]</code></em></code></strong>
 $ <strong class="userinput"><code>make</code></strong>
 $ <strong class="userinput"><code>./configure --enable-exportlib <em class="replaceable"><code>[other flags, but not --enable-fixed-rrset]</code></em></code></strong>
 $ <strong class="userinput"><code>cd lib/export</code></strong>
 $ <strong class="userinput"><code>make</code></strong>
 </pre>
 <p>
     </p>
 </li>
 <li><p>The client module and the IRS library currently do not
       support DNSSEC validation using DLV (the underlying modules
       can handle it, but there is no tunable interface to enable
       the feature).</p></li>
 <li><p>RFC 5011 is not supported in the validating stub
       resolver of the export library. In fact, it is not clear
       whether it should: trust anchors would be a system-wide
       configuration which would be managed by an administrator,
       while the stub resolver will be used by ordinary applications
       run by a normal user.</p></li>
 <li><p>Not all common <code class="filename">/etc/resolv.conf</code>
       options are supported
       in the IRS library. The only available options in this
       version are "debug" and "ndots".</p></li>
 </ul></div>
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2610855"></a>The dns.conf File</h3></div></div></div>
+<a name="id2610301"></a>The dns.conf File</h3></div></div></div>
 <p>The IRS library supports an "advanced" configuration file
   related to the DNS library for configuration parameters that
   would be beyond the capability of the
   <code class="filename">resolv.conf</code> file.
   Specifically, it is intended to provide DNSSEC related
   configuration parameters. By default the path to this
   configuration file is <code class="filename">/etc/dns.conf</code>.
   This module is very
   experimental and the configuration syntax or library interfaces
   may change in future versions. Currently, only the
   <span><strong class="command">trusted-keys</strong></span>
   statement is supported, whose syntax is the same as the same name
   of statement for <code class="filename">named.conf</code>. (See
   <a href="Bv9ARM.ch06.html#trusted-keys" title="trusted-keys Statement Grammar">the section called &#8220;<span><strong class="command">trusted-keys</strong></span> Statement Grammar&#8221;</a> for details.)</p>
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2610882"></a>Sample Applications</h3></div></div></div>
+<a name="id2610328"></a>Sample Applications</h3></div></div></div>
 <p>Some sample application programs using this API are
   provided for reference. The following is a brief description of
   these applications.
   </p>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2610890"></a>sample: a simple stub resolver utility</h4></div></div></div>
+<a name="id2610337"></a>sample: a simple stub resolver utility</h4></div></div></div>
 <p>
   It sends a query of a given name (of a given optional RR type) to a
   specified recursive server, and prints the result as a list of
   RRs. It can also act as a validating stub resolver if a trust
   anchor is given via a set of command line options.</p>
 <p>
   Usage: sample [options] server_address hostname
   </p>
 <p>
   Options and Arguments:
   </p>
 <div class="variablelist"><dl>
 <dt><span class="term">
   -t RRtype
   </span></dt>
 <dd><p>
         specify the RR type of the query.  The default is the A RR.
   </p></dd>
 <dt><span class="term">
   [-a algorithm] [-e] -k keyname -K keystring
   </span></dt>
 <dd>
 <p>
         specify a command-line DNS key to validate the answer.  For
         example, to specify the following DNSKEY of example.com:
 </p>
 <div class="literallayout"><p><br>
                 example.com. 3600 IN DNSKEY 257 3 5 xxx<br>
 </p></div>
 <p>
         specify the options as follows:
 </p>
 <pre class="screen">
 <strong class="userinput"><code>
           -e -k example.com -K "xxx"
 </code></strong>
 </pre>
 <p>
         -e means that this key is a zone's "key signing key" (as known
         as "secure Entry point").
         When -a is omitted rsasha1 will be used by default.
   </p>
 </dd>
 <dt><span class="term">
   -s domain:alt_server_address
   </span></dt>
 <dd><p>
          specify a separate recursive server address for the specific
         "domain".  Example: -s example.com:2001:db8::1234
   </p></dd>
 <dt><span class="term">server_address</span></dt>
 <dd><p>
         an IP(v4/v6) address of the recursive server to which queries
         are sent.
   </p></dd>
 <dt><span class="term">hostname</span></dt>
 <dd><p>
         the domain name for the query
   </p></dd>
 </dl></div>
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2610981"></a>sample-async: a simple stub resolver, working asynchronously</h4></div></div></div>
+<a name="id2610427"></a>sample-async: a simple stub resolver, working asynchronously</h4></div></div></div>
 <p>
   Similar to "sample", but accepts a list
   of (query) domain names as a separate file and resolves the names
   asynchronously.</p>
 <p>
     Usage: sample-async [-s server_address] [-t RR_type] input_file</p>
 <p>
  Options and Arguments:
   </p>
 <div class="variablelist"><dl>
 <dt><span class="term">
    -s server_address
    </span></dt>
 <dd>
    an IPv4 address of the recursive server to which queries are sent.
   (IPv6 addresses are not supported in this implementation)
   </dd>
 <dt><span class="term">
    -t RR_type
   </span></dt>
 <dd>
   specify the RR type of the queries. The default is the A
   RR.
   </dd>
 <dt><span class="term">
    input_file
   </span></dt>
 <dd>
    a list of domain names to be resolved. each line
   consists of a single domain name. Example:
   <div class="literallayout"><p><br>
   www.example.com<br>
   mx.example.net<br>
   ns.xxx.example<br>
 </p></div>
 </dd>
 </dl></div>
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2611102"></a>sample-request: a simple DNS transaction client</h4></div></div></div>
+<a name="id2610481"></a>sample-request: a simple DNS transaction client</h4></div></div></div>
 <p>
   It sends a query to a specified server, and
   prints the response with minimal processing. It doesn't act as a
   "stub resolver": it stops the processing once it gets any
   response from the server, whether it's a referral or an alias
   (CNAME or DNAME) that would require further queries to get the
   ultimate answer. In other words, this utility acts as a very
   simplified <span><strong class="command">dig</strong></span>.
   </p>
 <p>
   Usage: sample-request [-t RRtype] server_address hostname
   </p>
 <p>
     Options and Arguments:
   </p>
 <div class="variablelist"><dl>
 <dt><span class="term">
    -t RRtype
   </span></dt>
 <dd><p>
   specify the RR type of
   the queries. The default is the A RR.
   </p></dd>
 <dt><span class="term">
   server_address
   </span></dt>
 <dd><p>
    an IP(v4/v6)
   address of the recursive server to which the query is sent.
   </p></dd>
 <dt><span class="term">
   hostname
   </span></dt>
 <dd><p>
   the domain name for the query
   </p></dd>
 </dl></div>
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2611166"></a>sample-gai: getaddrinfo() and getnameinfo() test code</h4></div></div></div>
+<a name="id2610818"></a>sample-gai: getaddrinfo() and getnameinfo() test code</h4></div></div></div>
 <p>
   This is a test program
   to check getaddrinfo() and getnameinfo() behavior. It takes a
   host name as an argument, calls getaddrinfo() with the given host
   name, and calls getnameinfo() with the resulting IP addresses
   returned by getaddrinfo(). If the dns.conf file exists and
   defines a trust anchor, the underlying resolver will act as a
   validating resolver, and getaddrinfo()/getnameinfo() will fail
   with an EAI_INSECUREDATA error when DNSSEC validation fails.
   </p>
 <p>
   Usage: sample-gai hostname
   </p>
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2611181"></a>sample-update: a simple dynamic update client program</h4></div></div></div>
+<a name="id2610833"></a>sample-update: a simple dynamic update client program</h4></div></div></div>
 <p>
   It accepts a single update command as a
   command-line argument, sends an update request message to the
   authoritative server, and shows the response from the server. In
   other words, this is a simplified <span><strong class="command">nsupdate</strong></span>.
   </p>
 <p>
    Usage: sample-update [options] (add|delete) "update data"
   </p>
 <p>
   Options and Arguments:
   </p>
 <div class="variablelist"><dl>
 <dt><span class="term">
   -a auth_server
    </span></dt>
 <dd><p>
         An IP address of the authoritative server that has authority
         for the zone containing the update name.  This should normally
         be the primary authoritative server that accepts dynamic
         updates.  It can also be a secondary server that is configured
         to forward update requests to the primary server.
    </p></dd>
 <dt><span class="term">
   -k keyfile
    </span></dt>
 <dd><p>
         A TSIG key file to secure the update transaction.  The keyfile
         format is the same as that for the nsupdate utility.
    </p></dd>
 <dt><span class="term">
   -p prerequisite
    </span></dt>
 <dd><p>
         A prerequisite for the update (only one prerequisite can be
         specified).  The prerequisite format is the same as that is
         accepted by the nsupdate utility.
    </p></dd>
 <dt><span class="term">
   -r recursive_server
    </span></dt>
 <dd><p>
         An IP address of a recursive server that this utility will
         use.  A recursive server may be necessary to identify the
         authoritative server address to which the update request is
         sent.
    </p></dd>
 <dt><span class="term">
   -z zonename
    </span></dt>
 <dd><p>
         The domain name of the zone that contains
    </p></dd>
 <dt><span class="term">
   (add|delete)
    </span></dt>
 <dd><p>
         Specify the type of update operation.  Either "add" or "delete"
         must be specified.
    </p></dd>
 <dt><span class="term">
   "update data"
    </span></dt>
 <dd><p>
         Specify the data to be updated.  A typical example of the data
         would look like "name TTL RRtype RDATA".
   </p></dd>
 </dl></div>
 <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
 <h3 class="title">Note</h3>In practice, either -a or -r must be specified.  Others can
    be optional; the underlying library routine tries to identify the
    appropriate server and the zone name for the update.</div>
 <p>
    Examples: assuming the primary authoritative server of the
    dynamic.example.com zone has an IPv6 address 2001:db8::1234,
    </p>
 <pre class="screen">
 $ <strong class="userinput"><code>sample-update -a sample-update -k Kxxx.+nnn+mmmm.key add "foo.dynamic.example.com 30 IN A 192.168.2.1"</code></strong></pre>
 <p>
      adds an A RR for foo.dynamic.example.com using the given key.
    </p>
 <pre class="screen">
 $ <strong class="userinput"><code>sample-update -a sample-update -k Kxxx.+nnn+mmmm.key delete "foo.dynamic.example.com 30 IN A"</code></strong></pre>
 <p>
      removes all A RRs for foo.dynamic.example.com using the given key.
    </p>
 <pre class="screen">   
 $ <strong class="userinput"><code>sample-update -a sample-update -k Kxxx.+nnn+mmmm.key delete "foo.dynamic.example.com"</code></strong></pre>
 <p>
      removes all RRs for foo.dynamic.example.com using the given key.
    </p>
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2611654"></a>nsprobe: domain/name server checker in terms of RFC 4074</h4></div></div></div>
+<a name="id2611373"></a>nsprobe: domain/name server checker in terms of RFC 4074</h4></div></div></div>
 <p>
   It checks a set
   of domains to see the name servers of the domains behave
   correctly in terms of RFC 4074. This is included in the set of
   sample programs to show how the export library can be used in a
   DNS-related application.
   </p>
 <p>
  Usage: nsprobe [-d] [-v [-v...]] [-c cache_address] [input_file]
   </p>
 <p>
    Options
   </p>
 <div class="variablelist"><dl>
 <dt><span class="term">
   -d
   </span></dt>
 <dd><p>
         run in the "debug" mode.  with this option nsprobe will dump
         every RRs it receives.
   </p></dd>
 <dt><span class="term">
   -v
   </span></dt>
 <dd><p>
         increase verbosity of other normal log messages.  This can be
         specified multiple times
   </p></dd>
 <dt><span class="term">
   -c cache_address
   </span></dt>
 <dd><p>
         specify an IP address of a recursive (caching) name server.
         nsprobe uses this server to get the NS RRset of each domain and
         the A and/or AAAA RRsets for the name servers.  The default
         value is 127.0.0.1.
   </p></dd>
 <dt><span class="term">
   input_file
   </span></dt>
 <dd><p>
         a file name containing a list of domain (zone) names to be
         probed.  when omitted the standard input will be used.  Each
         line of the input file specifies a single domain name such as
         "example.com".  In general this domain name must be the apex
         name of some DNS zone (unlike normal "host names" such as
         "www.example.com").  nsprobe first identifies the NS RRsets for
         the given domain name, and sends A and AAAA queries to these
         servers for some "widely used" names under the zone;
         specifically, adding "www" and "ftp" to the zone name.
   </p></dd>
 </dl></div>
 </div>
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2611718"></a>Library References</h3></div></div></div>
+<a name="id2611437"></a>Library References</h3></div></div></div>
 <p>As of this writing, there is no formal "manual" of the
   libraries, except this document, header files (some of them
   provide pretty detailed explanations), and sample application
   programs.</p>
 </div>
 </div>
 </div>
 <div class="navfooter">
 <hr>
 <table width="100%" summary="Navigation footer">
 <tr>
 <td width="40%" align="left">
 <a accesskey="p" href="Bv9ARM.ch11.html">Prev</a> </td>
 <td width="20%" align="center"> </td>
 <td width="40%" align="right"> <a accesskey="n" href="Bv9ARM.ch13.html">Next</a>
 </td>
 </tr>
 <tr>
 <td width="40%" align="left" valign="top">Appendix C. General <acronym class="acronym">DNS</acronym> Reference Information </td>
 <td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
 <td width="40%" align="right" valign="top"> Manual pages</td>
 </tr>
 </table>
 </div>
-<p style="text-align: center;">BIND 9.9.7 (Extended Support Version)</p>
+<p style="text-align: center;">BIND 9.9.7-P2 (Extended Support Version)</p>
 </body>
 </html>
Index: stable/9/contrib/bind9/doc/arm/Bv9ARM.ch13.html
===================================================================
--- stable/9/contrib/bind9/doc/arm/Bv9ARM.ch13.html	(revision 286123)
+++ stable/9/contrib/bind9/doc/arm/Bv9ARM.ch13.html	(revision 286124)
@@ -1,145 +1,145 @@
 <!--
  - Copyright (C) 2004-2015 Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000-2003 Internet Software Consortium.
  - 
  - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
  - copyright notice and this permission notice appear in all copies.
  - 
  - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
  - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
  - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
  - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
  - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 <!-- $Id$ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>Manual pages</title>
 <meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
 <link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
 <link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
 <link rel="prev" href="Bv9ARM.ch12.html" title="Appendix D. BIND 9 DNS Library Support">
 <link rel="next" href="man.dig.html" title="dig">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
 <div class="navheader">
 <table width="100%" summary="Navigation header">
 <tr><th colspan="3" align="center">Manual pages</th></tr>
 <tr>
 <td width="20%" align="left">
 <a accesskey="p" href="Bv9ARM.ch12.html">Prev</a> </td>
 <th width="60%" align="center"> </th>
 <td width="20%" align="right"> <a accesskey="n" href="man.dig.html">Next</a>
 </td>
 </tr>
 </table>
 <hr>
 </div>
 <div class="reference" lang="en">
 <div class="titlepage">
 <div><div><h1 class="title">
 <a name="Bv9ARM.ch13"></a>Manual pages</h1></div></div>
 <hr>
 </div>
 <div class="toc">
 <p><b>Table of Contents</b></p>
 <dl>
 <dt>
 <span class="refentrytitle"><a href="man.dig.html">dig</a></span><span class="refpurpose"> &#8212; DNS lookup utility</span>
 </dt>
 <dt>
 <span class="refentrytitle"><a href="man.host.html">host</a></span><span class="refpurpose"> &#8212; DNS lookup utility</span>
 </dt>
 <dt>
 <span class="refentrytitle"><a href="man.dnssec-checkds.html"><span class="application">dnssec-checkds</span></a></span><span class="refpurpose"> &#8212; A DNSSEC delegation consistency checking tool.</span>
 </dt>
 <dt>
 <span class="refentrytitle"><a href="man.dnssec-coverage.html"><span class="application">dnssec-coverage</span></a></span><span class="refpurpose"> &#8212; checks future DNSKEY coverage for a zone</span>
 </dt>
 <dt>
 <span class="refentrytitle"><a href="man.dnssec-dsfromkey.html"><span class="application">dnssec-dsfromkey</span></a></span><span class="refpurpose"> &#8212; DNSSEC DS RR generation tool</span>
 </dt>
 <dt>
 <span class="refentrytitle"><a href="man.dnssec-keyfromlabel.html"><span class="application">dnssec-keyfromlabel</span></a></span><span class="refpurpose"> &#8212; DNSSEC key generation tool</span>
 </dt>
 <dt>
 <span class="refentrytitle"><a href="man.dnssec-keygen.html"><span class="application">dnssec-keygen</span></a></span><span class="refpurpose"> &#8212; DNSSEC key generation tool</span>
 </dt>
 <dt>
 <span class="refentrytitle"><a href="man.dnssec-revoke.html"><span class="application">dnssec-revoke</span></a></span><span class="refpurpose"> &#8212; Set the REVOKED bit on a DNSSEC key</span>
 </dt>
 <dt>
 <span class="refentrytitle"><a href="man.dnssec-settime.html"><span class="application">dnssec-settime</span></a></span><span class="refpurpose"> &#8212; Set the key timing metadata for a DNSSEC key</span>
 </dt>
 <dt>
 <span class="refentrytitle"><a href="man.dnssec-signzone.html"><span class="application">dnssec-signzone</span></a></span><span class="refpurpose"> &#8212; DNSSEC zone signing tool</span>
 </dt>
 <dt>
 <span class="refentrytitle"><a href="man.dnssec-verify.html"><span class="application">dnssec-verify</span></a></span><span class="refpurpose"> &#8212; DNSSEC zone verification tool</span>
 </dt>
 <dt>
 <span class="refentrytitle"><a href="man.named-checkconf.html"><span class="application">named-checkconf</span></a></span><span class="refpurpose"> &#8212; named configuration file syntax checking tool</span>
 </dt>
 <dt>
 <span class="refentrytitle"><a href="man.named-checkzone.html"><span class="application">named-checkzone</span></a></span><span class="refpurpose"> &#8212; zone file validity checking or converting tool</span>
 </dt>
 <dt>
 <span class="refentrytitle"><a href="man.named.html"><span class="application">named</span></a></span><span class="refpurpose"> &#8212; Internet domain name server</span>
 </dt>
 <dt>
 <span class="refentrytitle"><a href="man.named-journalprint.html"><span class="application">named-journalprint</span></a></span><span class="refpurpose"> &#8212; print zone journal in human-readable form</span>
 </dt>
 <dt>
 <span class="refentrytitle"><a href="man.nsupdate.html"><span class="application">nsupdate</span></a></span><span class="refpurpose"> &#8212; Dynamic DNS update utility</span>
 </dt>
 <dt>
 <span class="refentrytitle"><a href="man.rndc.html"><span class="application">rndc</span></a></span><span class="refpurpose"> &#8212; name server control utility</span>
 </dt>
 <dt>
 <span class="refentrytitle"><a href="man.rndc.conf.html"><code class="filename">rndc.conf</code></a></span><span class="refpurpose"> &#8212; rndc configuration file</span>
 </dt>
 <dt>
 <span class="refentrytitle"><a href="man.rndc-confgen.html"><span class="application">rndc-confgen</span></a></span><span class="refpurpose"> &#8212; rndc key generation tool</span>
 </dt>
 <dt>
 <span class="refentrytitle"><a href="man.ddns-confgen.html"><span class="application">ddns-confgen</span></a></span><span class="refpurpose"> &#8212; ddns key generation tool</span>
 </dt>
 <dt>
 <span class="refentrytitle"><a href="man.arpaname.html"><span class="application">arpaname</span></a></span><span class="refpurpose"> &#8212; translate IP addresses to the corresponding ARPA names</span>
 </dt>
 <dt>
 <span class="refentrytitle"><a href="man.genrandom.html"><span class="application">genrandom</span></a></span><span class="refpurpose"> &#8212; generate a file containing random data</span>
 </dt>
 <dt>
 <span class="refentrytitle"><a href="man.isc-hmac-fixup.html"><span class="application">isc-hmac-fixup</span></a></span><span class="refpurpose"> &#8212; fixes HMAC keys generated by older versions of BIND</span>
 </dt>
 <dt>
 <span class="refentrytitle"><a href="man.nsec3hash.html"><span class="application">nsec3hash</span></a></span><span class="refpurpose"> &#8212; generate NSEC3 hash</span>
 </dt>
 </dl>
 </div>
 </div>
 <div class="navfooter">
 <hr>
 <table width="100%" summary="Navigation footer">
 <tr>
 <td width="40%" align="left">
 <a accesskey="p" href="Bv9ARM.ch12.html">Prev</a> </td>
 <td width="20%" align="center"> </td>
 <td width="40%" align="right"> <a accesskey="n" href="man.dig.html">Next</a>
 </td>
 </tr>
 <tr>
 <td width="40%" align="left" valign="top">Appendix D. BIND 9 DNS Library Support </td>
 <td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
 <td width="40%" align="right" valign="top"> dig</td>
 </tr>
 </table>
 </div>
-<p style="text-align: center;">BIND 9.9.7 (Extended Support Version)</p>
+<p style="text-align: center;">BIND 9.9.7-P2 (Extended Support Version)</p>
 </body>
 </html>
Index: stable/9/contrib/bind9/doc/arm/Bv9ARM.html
===================================================================
--- stable/9/contrib/bind9/doc/arm/Bv9ARM.html	(revision 286123)
+++ stable/9/contrib/bind9/doc/arm/Bv9ARM.html	(revision 286124)
@@ -1,370 +1,370 @@
 <!--
  - Copyright (C) 2004-2015 Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000-2003 Internet Software Consortium.
  - 
  - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
  - copyright notice and this permission notice appear in all copies.
  - 
  - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
  - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
  - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
  - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
  - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 <!-- $Id$ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>BIND 9 Administrator Reference Manual</title>
 <meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
 <link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
 <link rel="next" href="Bv9ARM.ch01.html" title="Chapter 1. Introduction">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
 <div class="navheader">
 <table width="100%" summary="Navigation header">
 <tr><th colspan="3" align="center">BIND 9 Administrator Reference Manual</th></tr>
 <tr>
 <td width="20%" align="left"> </td>
 <th width="60%" align="center"> </th>
 <td width="20%" align="right"> <a accesskey="n" href="Bv9ARM.ch01.html">Next</a>
 </td>
 </tr>
 </table>
 <hr>
 </div>
 <div class="book" lang="en">
 <div class="titlepage">
 <div>
 <div><h1 class="title">
 <a name="id2563180"></a>BIND 9 Administrator Reference Manual</h1></div>
-<div><p class="releaseinfo">BIND Version 9.9.7</p></div>
+<div><p class="releaseinfo">BIND Version 9.9.7-P2</p></div>
 <div><p class="copyright">Copyright © 2004-2015 Internet Systems Consortium, Inc. ("ISC")</p></div>
 <div><p class="copyright">Copyright © 2000-2003 Internet Software Consortium.</p></div>
 </div>
 <hr>
 </div>
 <div class="toc">
 <p><b>Table of Contents</b></p>
 <dl>
 <dt><span class="chapter"><a href="Bv9ARM.ch01.html">1. Introduction</a></span></dt>
 <dd><dl>
 <dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2563509">Scope of Document</a></span></dt>
 <dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2563533">Organization of This Document</a></span></dt>
 <dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2564629">Conventions Used in This Document</a></span></dt>
 <dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2564810">The Domain Name System (<acronym class="acronym">DNS</acronym>)</a></span></dt>
 <dd><dl>
 <dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2564832">DNS Fundamentals</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2564934">Domains and Domain Names</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2567271">Zones</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2567348">Authoritative Name Servers</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2567589">Caching Name Servers</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2567651">Name Servers in Multiple Roles</a></span></dt>
 </dl></dd>
 </dl></dd>
 <dt><span class="chapter"><a href="Bv9ARM.ch02.html">2. <acronym class="acronym">BIND</acronym> Resource Requirements</a></span></dt>
 <dd><dl>
 <dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567685">Hardware requirements</a></span></dt>
 <dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567712">CPU Requirements</a></span></dt>
 <dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567793">Memory Requirements</a></span></dt>
 <dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567819">Name Server Intensive Environment Issues</a></span></dt>
 <dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567830">Supported Operating Systems</a></span></dt>
 </dl></dd>
 <dt><span class="chapter"><a href="Bv9ARM.ch03.html">3. Name Server Configuration</a></span></dt>
 <dd><dl>
 <dt><span class="sect1"><a href="Bv9ARM.ch03.html#sample_configuration">Sample Configurations</a></span></dt>
 <dd><dl>
 <dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2567998">A Caching-only Name Server</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2568014">An Authoritative-only Name Server</a></span></dt>
 </dl></dd>
 <dt><span class="sect1"><a href="Bv9ARM.ch03.html#id2568037">Load Balancing</a></span></dt>
 <dt><span class="sect1"><a href="Bv9ARM.ch03.html#id2568391">Name Server Operations</a></span></dt>
 <dd><dl>
 <dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2568396">Tools for Use With the Name Server Daemon</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2569449">Signals</a></span></dt>
 </dl></dd>
 </dl></dd>
 <dt><span class="chapter"><a href="Bv9ARM.ch04.html">4. Advanced DNS Features</a></span></dt>
 <dd><dl>
 <dt><span class="sect1"><a href="Bv9ARM.ch04.html#notify">Notify</a></span></dt>
 <dt><span class="sect1"><a href="Bv9ARM.ch04.html#dynamic_update">Dynamic Update</a></span></dt>
 <dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch04.html#journal">The journal file</a></span></dt></dl></dd>
 <dt><span class="sect1"><a href="Bv9ARM.ch04.html#incremental_zone_transfers">Incremental Zone Transfers (IXFR)</a></span></dt>
 <dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2564237">Split DNS</a></span></dt>
 <dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2564256">Example split DNS setup</a></span></dt></dl></dd>
 <dt><span class="sect1"><a href="Bv9ARM.ch04.html#tsig">TSIG</a></span></dt>
 <dd><dl>
 <dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2570560">Generate Shared Keys for Each Pair of Hosts</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2570701">Copying the Shared Secret to Both Machines</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2570712">Informing the Servers of the Key's Existence</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2570748">Instructing the Server to Use the Key</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2570806">TSIG Key Based Access Control</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2570855">Errors</a></span></dt>
 </dl></dd>
 <dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2570869">TKEY</a></span></dt>
 <dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2570918">SIG(0)</a></span></dt>
 <dt><span class="sect1"><a href="Bv9ARM.ch04.html#DNSSEC">DNSSEC</a></span></dt>
 <dd><dl>
 <dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571054">Generating Keys</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571338">Signing the Zone</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571419">Configuring Servers</a></span></dt>
 </dl></dd>
 <dt><span class="sect1"><a href="Bv9ARM.ch04.html#dnssec.dynamic.zones">DNSSEC, Dynamic Zones, and Automatic Signing</a></span></dt>
 <dd><dl>
 <dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2609449">Converting from insecure to secure</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2609486">Dynamic DNS update method</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563716">Fully automatic zone signing</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563963">Private-type records</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2564001">DNSKEY rollovers</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2564013">Dynamic DNS update method</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2569781">Automatic key rollovers</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2569808">NSEC3PARAM rollovers via UPDATE</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2569817">Converting from NSEC to NSEC3</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2569827">Converting from NSEC3 to NSEC</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2608888">Converting from secure to insecure</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2608925">Periodic re-signing</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2608935">NSEC3 and OPTOUT</a></span></dt>
 </dl></dd>
 <dt><span class="sect1"><a href="Bv9ARM.ch04.html#rfc5011.support">Dynamic Trust Anchor Management</a></span></dt>
 <dd><dl>
 <dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2569982">Validating Resolver</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2570005">Authoritative Server</a></span></dt>
 </dl></dd>
 <dt><span class="sect1"><a href="Bv9ARM.ch04.html#pkcs11">PKCS #11 (Cryptoki) support</a></span></dt>
 <dd><dl>
 <dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2609020">Prerequisites</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2610137">Building BIND 9 with PKCS#11</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2612651">PKCS #11 Tools</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2612682">Using the HSM</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2636637">Specifying the engine on the command line</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2636683">Running named with automatic zone re-signing</a></span></dt>
 </dl></dd>
 <dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2571639">IPv6 Support in <acronym class="acronym">BIND</acronym> 9</a></span></dt>
 <dd><dl>
 <dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571906">Address Lookups Using AAAA Records</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571927">Address to Name Lookups Using Nibble Format</a></span></dt>
 </dl></dd>
 </dl></dd>
 <dt><span class="chapter"><a href="Bv9ARM.ch05.html">5. The <acronym class="acronym">BIND</acronym> 9 Lightweight Resolver</a></span></dt>
 <dd><dl>
 <dt><span class="sect1"><a href="Bv9ARM.ch05.html#id2571960">The Lightweight Resolver Library</a></span></dt>
 <dt><span class="sect1"><a href="Bv9ARM.ch05.html#lwresd">Running a Resolver Daemon</a></span></dt>
 </dl></dd>
 <dt><span class="chapter"><a href="Bv9ARM.ch06.html">6. <acronym class="acronym">BIND</acronym> 9 Configuration Reference</a></span></dt>
 <dd><dl>
 <dt><span class="sect1"><a href="Bv9ARM.ch06.html#configuration_file_elements">Configuration File Elements</a></span></dt>
 <dd><dl>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#address_match_lists">Address Match Lists</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2573374">Comment Syntax</a></span></dt>
 </dl></dd>
 <dt><span class="sect1"><a href="Bv9ARM.ch06.html#Configuration_File_Grammar">Configuration File Grammar</a></span></dt>
 <dd><dl>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574035"><span><strong class="command">acl</strong></span> Statement Grammar</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#acl"><span><strong class="command">acl</strong></span> Statement Definition and
           Usage</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574225"><span><strong class="command">controls</strong></span> Statement Grammar</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#controls_statement_definition_and_usage"><span><strong class="command">controls</strong></span> Statement Definition and
           Usage</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574584"><span><strong class="command">include</strong></span> Statement Grammar</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574601"><span><strong class="command">include</strong></span> Statement Definition and
           Usage</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574761"><span><strong class="command">key</strong></span> Statement Grammar</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574785"><span><strong class="command">key</strong></span> Statement Definition and Usage</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574875"><span><strong class="command">logging</strong></span> Statement Grammar</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575001"><span><strong class="command">logging</strong></span> Statement Definition and
           Usage</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577168"><span><strong class="command">lwres</strong></span> Statement Grammar</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577241"><span><strong class="command">lwres</strong></span> Statement Definition and Usage</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577305"><span><strong class="command">masters</strong></span> Statement Grammar</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577417"><span><strong class="command">masters</strong></span> Statement Definition and
           Usage</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577438"><span><strong class="command">options</strong></span> Statement Grammar</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#options"><span><strong class="command">options</strong></span> Statement Definition and
           Usage</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#server_statement_grammar"><span><strong class="command">server</strong></span> Statement Grammar</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#server_statement_definition_and_usage"><span><strong class="command">server</strong></span> Statement Definition and
             Usage</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#statschannels"><span><strong class="command">statistics-channels</strong></span> Statement Grammar</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2590489"><span><strong class="command">statistics-channels</strong></span> Statement Definition and
             Usage</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#trusted-keys"><span><strong class="command">trusted-keys</strong></span> Statement Grammar</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2590796"><span><strong class="command">trusted-keys</strong></span> Statement Definition
             and Usage</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2590843"><span><strong class="command">managed-keys</strong></span> Statement Grammar</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#managed-keys"><span><strong class="command">managed-keys</strong></span> Statement Definition
             and Usage</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#view_statement_grammar"><span><strong class="command">view</strong></span> Statement Grammar</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2591278"><span><strong class="command">view</strong></span> Statement Definition and Usage</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#zone_statement_grammar"><span><strong class="command">zone</strong></span>
             Statement Grammar</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2592987"><span><strong class="command">zone</strong></span> Statement Definition and Usage</a></span></dt>
 </dl></dd>
 <dt><span class="sect1"><a href="Bv9ARM.ch06.html#id2596605">Zone File</a></span></dt>
 <dd><dl>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#types_of_resource_records_and_when_to_use_them">Types of Resource Records and When to Use Them</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2598768">Discussion of MX Records</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#Setting_TTLs">Setting TTLs</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2599451">Inverse Mapping in IPv4</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2599578">Other Zone File Directives</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2599851"><acronym class="acronym">BIND</acronym> Master File Extension: the  <span><strong class="command">$GENERATE</strong></span> Directive</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#zonefile_format">Additional File Formats</a></span></dt>
 </dl></dd>
 <dt><span class="sect1"><a href="Bv9ARM.ch06.html#statistics">BIND9 Statistics</a></span></dt>
 <dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch06.html#statistics_counters">Statistics Counters</a></span></dt></dl></dd>
 </dl></dd>
 <dt><span class="chapter"><a href="Bv9ARM.ch07.html">7. <acronym class="acronym">BIND</acronym> 9 Security Considerations</a></span></dt>
 <dd><dl>
 <dt><span class="sect1"><a href="Bv9ARM.ch07.html#Access_Control_Lists">Access Control Lists</a></span></dt>
 <dt><span class="sect1"><a href="Bv9ARM.ch07.html#id2604721"><span><strong class="command">Chroot</strong></span> and <span><strong class="command">Setuid</strong></span></a></span></dt>
 <dd><dl>
 <dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2604802">The <span><strong class="command">chroot</strong></span> Environment</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2604861">Using the <span><strong class="command">setuid</strong></span> Function</a></span></dt>
 </dl></dd>
 <dt><span class="sect1"><a href="Bv9ARM.ch07.html#dynamic_update_security">Dynamic Update Security</a></span></dt>
 </dl></dd>
 <dt><span class="chapter"><a href="Bv9ARM.ch08.html">8. Troubleshooting</a></span></dt>
 <dd><dl>
 <dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2605078">Common Problems</a></span></dt>
 <dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch08.html#id2605083">It's not working; how can I figure out what's wrong?</a></span></dt></dl></dd>
 <dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2605095">Incrementing and Changing the Serial Number</a></span></dt>
 <dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2605112">Where Can I Get Help?</a></span></dt>
 </dl></dd>
 <dt><span class="appendix"><a href="Bv9ARM.ch09.html">A. Release Notes</a></span></dt>
 <dd><dl>
-<dt><span class="sect1"><a href="Bv9ARM.ch09.html#id2563588">Release Notes for BIND Version 9.9.7</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch09.html#id2563588">Release Notes for BIND Version 9.9.7-P2</a></span></dt>
 <dd><dl>
 <dt><span class="sect2"><a href="Bv9ARM.ch09.html#relnotes_intro">Introduction</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch09.html#relnotes_download">Download</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch09.html#relnotes_security">Security Fixes</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch09.html#relnotes_features">New Features</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch09.html#relnotes_changes">Feature Changes</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch09.html#relnotes_bugs">Bug Fixes</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch09.html#end_of_life">End of Life</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch09.html#relnotes_thanks">Thank You</a></span></dt>
 </dl></dd>
 </dl></dd>
 <dt><span class="appendix"><a href="Bv9ARM.ch10.html">B. A Brief History of the <acronym class="acronym">DNS</acronym> and <acronym class="acronym">BIND</acronym></a></span></dt>
 <dd><dl><dt><span class="sect1"><a href="Bv9ARM.ch10.html#historical_dns_information"></a></span></dt></dl></dd>
 <dt><span class="appendix"><a href="Bv9ARM.ch11.html">C. General <acronym class="acronym">DNS</acronym> Reference Information</a></span></dt>
 <dd><dl>
 <dt><span class="sect1"><a href="Bv9ARM.ch11.html#ipv6addresses">IPv6 addresses (AAAA)</a></span></dt>
 <dt><span class="sect1"><a href="Bv9ARM.ch11.html#bibliography">Bibliography (and Suggested Reading)</a></span></dt>
 <dd><dl>
 <dt><span class="sect2"><a href="Bv9ARM.ch11.html#rfcs">Request for Comments (RFCs)</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch11.html#internet_drafts">Internet Drafts</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch11.html#id2608563">Other Documents About <acronym class="acronym">BIND</acronym></a></span></dt>
 </dl></dd>
 </dl></dd>
 <dt><span class="appendix"><a href="Bv9ARM.ch12.html">D. BIND 9 DNS Library Support</a></span></dt>
 <dd><dl>
 <dt><span class="sect1"><a href="Bv9ARM.ch12.html#bind9.library">BIND 9 DNS Library Support</a></span></dt>
 <dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch12.html#id2611396">Prerequisite</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch12.html#id2610723">Compilation</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch12.html#id2610747">Installation</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch12.html#id2610778">Known Defects/Restrictions</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch12.html#id2610855">The dns.conf File</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch12.html#id2610882">Sample Applications</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch12.html#id2611718">Library References</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch12.html#id2611115">Prerequisite</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch12.html#id2611125">Compilation</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch12.html#id2609306">Installation</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch12.html#id2609337">Known Defects/Restrictions</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch12.html#id2610301">The dns.conf File</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch12.html#id2610328">Sample Applications</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch12.html#id2611437">Library References</a></span></dt>
 </dl></dd>
 </dl></dd>
 <dt><span class="reference"><a href="Bv9ARM.ch13.html">I. Manual pages</a></span></dt>
 <dd><dl>
 <dt>
 <span class="refentrytitle"><a href="man.dig.html">dig</a></span><span class="refpurpose"> &#8212; DNS lookup utility</span>
 </dt>
 <dt>
 <span class="refentrytitle"><a href="man.host.html">host</a></span><span class="refpurpose"> &#8212; DNS lookup utility</span>
 </dt>
 <dt>
 <span class="refentrytitle"><a href="man.dnssec-checkds.html"><span class="application">dnssec-checkds</span></a></span><span class="refpurpose"> &#8212; A DNSSEC delegation consistency checking tool.</span>
 </dt>
 <dt>
 <span class="refentrytitle"><a href="man.dnssec-coverage.html"><span class="application">dnssec-coverage</span></a></span><span class="refpurpose"> &#8212; checks future DNSKEY coverage for a zone</span>
 </dt>
 <dt>
 <span class="refentrytitle"><a href="man.dnssec-dsfromkey.html"><span class="application">dnssec-dsfromkey</span></a></span><span class="refpurpose"> &#8212; DNSSEC DS RR generation tool</span>
 </dt>
 <dt>
 <span class="refentrytitle"><a href="man.dnssec-keyfromlabel.html"><span class="application">dnssec-keyfromlabel</span></a></span><span class="refpurpose"> &#8212; DNSSEC key generation tool</span>
 </dt>
 <dt>
 <span class="refentrytitle"><a href="man.dnssec-keygen.html"><span class="application">dnssec-keygen</span></a></span><span class="refpurpose"> &#8212; DNSSEC key generation tool</span>
 </dt>
 <dt>
 <span class="refentrytitle"><a href="man.dnssec-revoke.html"><span class="application">dnssec-revoke</span></a></span><span class="refpurpose"> &#8212; Set the REVOKED bit on a DNSSEC key</span>
 </dt>
 <dt>
 <span class="refentrytitle"><a href="man.dnssec-settime.html"><span class="application">dnssec-settime</span></a></span><span class="refpurpose"> &#8212; Set the key timing metadata for a DNSSEC key</span>
 </dt>
 <dt>
 <span class="refentrytitle"><a href="man.dnssec-signzone.html"><span class="application">dnssec-signzone</span></a></span><span class="refpurpose"> &#8212; DNSSEC zone signing tool</span>
 </dt>
 <dt>
 <span class="refentrytitle"><a href="man.dnssec-verify.html"><span class="application">dnssec-verify</span></a></span><span class="refpurpose"> &#8212; DNSSEC zone verification tool</span>
 </dt>
 <dt>
 <span class="refentrytitle"><a href="man.named-checkconf.html"><span class="application">named-checkconf</span></a></span><span class="refpurpose"> &#8212; named configuration file syntax checking tool</span>
 </dt>
 <dt>
 <span class="refentrytitle"><a href="man.named-checkzone.html"><span class="application">named-checkzone</span></a></span><span class="refpurpose"> &#8212; zone file validity checking or converting tool</span>
 </dt>
 <dt>
 <span class="refentrytitle"><a href="man.named.html"><span class="application">named</span></a></span><span class="refpurpose"> &#8212; Internet domain name server</span>
 </dt>
 <dt>
 <span class="refentrytitle"><a href="man.named-journalprint.html"><span class="application">named-journalprint</span></a></span><span class="refpurpose"> &#8212; print zone journal in human-readable form</span>
 </dt>
 <dt>
 <span class="refentrytitle"><a href="man.nsupdate.html"><span class="application">nsupdate</span></a></span><span class="refpurpose"> &#8212; Dynamic DNS update utility</span>
 </dt>
 <dt>
 <span class="refentrytitle"><a href="man.rndc.html"><span class="application">rndc</span></a></span><span class="refpurpose"> &#8212; name server control utility</span>
 </dt>
 <dt>
 <span class="refentrytitle"><a href="man.rndc.conf.html"><code class="filename">rndc.conf</code></a></span><span class="refpurpose"> &#8212; rndc configuration file</span>
 </dt>
 <dt>
 <span class="refentrytitle"><a href="man.rndc-confgen.html"><span class="application">rndc-confgen</span></a></span><span class="refpurpose"> &#8212; rndc key generation tool</span>
 </dt>
 <dt>
 <span class="refentrytitle"><a href="man.ddns-confgen.html"><span class="application">ddns-confgen</span></a></span><span class="refpurpose"> &#8212; ddns key generation tool</span>
 </dt>
 <dt>
 <span class="refentrytitle"><a href="man.arpaname.html"><span class="application">arpaname</span></a></span><span class="refpurpose"> &#8212; translate IP addresses to the corresponding ARPA names</span>
 </dt>
 <dt>
 <span class="refentrytitle"><a href="man.genrandom.html"><span class="application">genrandom</span></a></span><span class="refpurpose"> &#8212; generate a file containing random data</span>
 </dt>
 <dt>
 <span class="refentrytitle"><a href="man.isc-hmac-fixup.html"><span class="application">isc-hmac-fixup</span></a></span><span class="refpurpose"> &#8212; fixes HMAC keys generated by older versions of BIND</span>
 </dt>
 <dt>
 <span class="refentrytitle"><a href="man.nsec3hash.html"><span class="application">nsec3hash</span></a></span><span class="refpurpose"> &#8212; generate NSEC3 hash</span>
 </dt>
 </dl></dd>
 </dl>
 </div>
 </div>
 <div class="navfooter">
 <hr>
 <table width="100%" summary="Navigation footer">
 <tr>
 <td width="40%" align="left"> </td>
 <td width="20%" align="center"> </td>
 <td width="40%" align="right"> <a accesskey="n" href="Bv9ARM.ch01.html">Next</a>
 </td>
 </tr>
 <tr>
 <td width="40%" align="left" valign="top"> </td>
 <td width="20%" align="center"> </td>
 <td width="40%" align="right" valign="top"> Chapter 1. Introduction</td>
 </tr>
 </table>
 </div>
-<p style="text-align: center;">BIND 9.9.7 (Extended Support Version)</p>
+<p style="text-align: center;">BIND 9.9.7-P2 (Extended Support Version)</p>
 </body>
 </html>
Index: stable/9/contrib/bind9/doc/arm/Bv9ARM.pdf
===================================================================
Cannot display: file marked as a binary type.
svn:mime-type = application/pdf

Index: stable/9/contrib/bind9/doc/arm/man.arpaname.html
===================================================================
--- stable/9/contrib/bind9/doc/arm/man.arpaname.html	(revision 286123)
+++ stable/9/contrib/bind9/doc/arm/man.arpaname.html	(revision 286124)
@@ -1,92 +1,92 @@
 <!--
  - Copyright (C) 2004-2015 Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000-2003 Internet Software Consortium.
  - 
  - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
  - copyright notice and this permission notice appear in all copies.
  - 
  - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
  - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
  - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
  - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
  - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 <!-- $Id$ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>arpaname</title>
 <meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
 <link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
 <link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
 <link rel="prev" href="man.ddns-confgen.html" title="ddns-confgen">
 <link rel="next" href="man.genrandom.html" title="genrandom">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
 <div class="navheader">
 <table width="100%" summary="Navigation header">
 <tr><th colspan="3" align="center"><span class="application">arpaname</span></th></tr>
 <tr>
 <td width="20%" align="left">
 <a accesskey="p" href="man.ddns-confgen.html">Prev</a> </td>
 <th width="60%" align="center">Manual pages</th>
 <td width="20%" align="right"> <a accesskey="n" href="man.genrandom.html">Next</a>
 </td>
 </tr>
 </table>
 <hr>
 </div>
 <div class="refentry" lang="en">
 <a name="man.arpaname"></a><div class="titlepage"></div>
 <div class="refnamediv">
 <h2>Name</h2>
 <p><span class="application">arpaname</span> &#8212; translate IP addresses to the corresponding ARPA names</p>
 </div>
 <div class="refsynopsisdiv">
 <h2>Synopsis</h2>
 <div class="cmdsynopsis"><p><code class="command">arpaname</code>  {<em class="replaceable"><code>ipaddress </code></em>...}</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2620725"></a><h2>DESCRIPTION</h2>
+<a name="id2618396"></a><h2>DESCRIPTION</h2>
 <p>
       <span><strong class="command">arpaname</strong></span> translates IP addresses (IPv4 and
       IPv6) to the corresponding IN-ADDR.ARPA or IP6.ARPA names.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2620740"></a><h2>SEE ALSO</h2>
+<a name="id2618411"></a><h2>SEE ALSO</h2>
 <p>
       <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2620754"></a><h2>AUTHOR</h2>
+<a name="id2618425"></a><h2>AUTHOR</h2>
 <p><span class="corpauthor">Internet Systems Consortium</span>
     </p>
 </div>
 </div>
 <div class="navfooter">
 <hr>
 <table width="100%" summary="Navigation footer">
 <tr>
 <td width="40%" align="left">
 <a accesskey="p" href="man.ddns-confgen.html">Prev</a> </td>
 <td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
 <td width="40%" align="right"> <a accesskey="n" href="man.genrandom.html">Next</a>
 </td>
 </tr>
 <tr>
 <td width="40%" align="left" valign="top">
 <span class="application">ddns-confgen</span> </td>
 <td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
 <td width="40%" align="right" valign="top"> <span class="application">genrandom</span>
 </td>
 </tr>
 </table>
 </div>
-<p style="text-align: center;">BIND 9.9.7 (Extended Support Version)</p>
+<p style="text-align: center;">BIND 9.9.7-P2 (Extended Support Version)</p>
 </body>
 </html>
Index: stable/9/contrib/bind9/doc/arm/man.ddns-confgen.html
===================================================================
--- stable/9/contrib/bind9/doc/arm/man.ddns-confgen.html	(revision 286123)
+++ stable/9/contrib/bind9/doc/arm/man.ddns-confgen.html	(revision 286124)
@@ -1,181 +1,181 @@
 <!--
  - Copyright (C) 2004-2015 Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000-2003 Internet Software Consortium.
  - 
  - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
  - copyright notice and this permission notice appear in all copies.
  - 
  - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
  - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
  - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
  - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
  - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 <!-- $Id$ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>ddns-confgen</title>
 <meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
 <link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
 <link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
 <link rel="prev" href="man.rndc-confgen.html" title="rndc-confgen">
 <link rel="next" href="man.arpaname.html" title="arpaname">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
 <div class="navheader">
 <table width="100%" summary="Navigation header">
 <tr><th colspan="3" align="center"><span class="application">ddns-confgen</span></th></tr>
 <tr>
 <td width="20%" align="left">
 <a accesskey="p" href="man.rndc-confgen.html">Prev</a> </td>
 <th width="60%" align="center">Manual pages</th>
 <td width="20%" align="right"> <a accesskey="n" href="man.arpaname.html">Next</a>
 </td>
 </tr>
 </table>
 <hr>
 </div>
 <div class="refentry" lang="en">
 <a name="man.ddns-confgen"></a><div class="titlepage"></div>
 <div class="refnamediv">
 <h2>Name</h2>
 <p><span class="application">ddns-confgen</span> &#8212; ddns key generation tool</p>
 </div>
 <div class="refsynopsisdiv">
 <h2>Synopsis</h2>
 <div class="cmdsynopsis"><p><code class="command">ddns-confgen</code>  [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-h</code>] [<code class="option">-k <em class="replaceable"><code>keyname</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomfile</code></em></code>] [ -s <em class="replaceable"><code>name</code></em>  |   -z <em class="replaceable"><code>zone</code></em> ] [<code class="option">-q</code>] [name]</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2654880"></a><h2>DESCRIPTION</h2>
+<a name="id2657944"></a><h2>DESCRIPTION</h2>
 <p><span><strong class="command">ddns-confgen</strong></span>
       generates a key for use by <span><strong class="command">nsupdate</strong></span>
       and <span><strong class="command">named</strong></span>.  It simplifies configuration
       of dynamic zones by generating a key and providing the
       <span><strong class="command">nsupdate</strong></span> and <span><strong class="command">named.conf</strong></span>
       syntax that will be needed to use it, including an example
       <span><strong class="command">update-policy</strong></span> statement.
     </p>
 <p>
       If a domain name is specified on the command line, it will
       be used in the name of the generated key and in the sample
       <span><strong class="command">named.conf</strong></span> syntax.  For example,
       <span><strong class="command">ddns-confgen example.com</strong></span> would
       generate a key called "ddns-key.example.com", and sample
       <span><strong class="command">named.conf</strong></span> command that could be used
       in the zone definition for "example.com".
     </p>
 <p>
       Note that <span><strong class="command">named</strong></span> itself can configure a
       local DDNS key for use with <span><strong class="command">nsupdate -l</strong></span>.
       <span><strong class="command">ddns-confgen</strong></span> is only needed when a 
       more elaborate configuration is required: for instance, if
       <span><strong class="command">nsupdate</strong></span> is to be used from a remote system.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2656469"></a><h2>OPTIONS</h2>
+<a name="id2658032"></a><h2>OPTIONS</h2>
 <div class="variablelist"><dl>
 <dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
 <dd><p>
             Specifies the algorithm to use for the TSIG key.  Available
             choices are: hmac-md5, hmac-sha1, hmac-sha224, hmac-sha256,
             hmac-sha384 and hmac-sha512.  The default is hmac-sha256.
 	  </p></dd>
 <dt><span class="term">-h</span></dt>
 <dd><p>
 	    Prints a short summary of the options and arguments to
 	    <span><strong class="command">ddns-confgen</strong></span>.
 	  </p></dd>
 <dt><span class="term">-k <em class="replaceable"><code>keyname</code></em></span></dt>
 <dd><p>
 	    Specifies the key name of the DDNS authentication key.
 	    The default is <code class="constant">ddns-key</code> when neither
 	    the <code class="option">-s</code> nor <code class="option">-z</code> option is
 	    specified; otherwise, the default
 	    is <code class="constant">ddns-key</code> as a separate label
 	    followed by the argument of the option, e.g.,
 	    <code class="constant">ddns-key.example.com.</code>
 	    The key name must have the format of a valid domain name,
 	    consisting of letters, digits, hyphens and periods.
 	  </p></dd>
 <dt><span class="term">-q</span></dt>
 <dd><p>
 	    Quiet mode:  Print only the key, with no explanatory text or
             usage examples.
 	  </p></dd>
 <dt><span class="term">-r <em class="replaceable"><code>randomfile</code></em></span></dt>
 <dd><p>
             Specifies a source of random data for generating the
             authorization.  If the operating system does not provide a
             <code class="filename">/dev/random</code> or equivalent device, the
             default source of randomness is keyboard input.
             <code class="filename">randomdev</code> specifies the name of a
             character device or file containing random data to be used
             instead of the default.  The special value
             <code class="filename">keyboard</code> indicates that keyboard input
             should be used.
 	  </p></dd>
 <dt><span class="term">-s <em class="replaceable"><code>name</code></em></span></dt>
 <dd><p>
 	    Single host mode: The example <span><strong class="command">named.conf</strong></span> text
 	    shows how to set an update policy for the specified
 	    <em class="replaceable"><code>name</code></em>
 	    using the "name" nametype.
 	    The default key name is
 	    ddns-key.<em class="replaceable"><code>name</code></em>.
 	    Note that the "self" nametype cannot be used, since
 	    the name to be updated may differ from the key name.
 	    This option cannot be used with the <code class="option">-z</code> option.
 	  </p></dd>
 <dt><span class="term">-z <em class="replaceable"><code>zone</code></em></span></dt>
 <dd><p>
 	    zone mode:  The example <span><strong class="command">named.conf</strong></span> text
             shows how to set an update policy for the specified
 	    <em class="replaceable"><code>zone</code></em>
 	    using the "zonesub" nametype, allowing updates to all subdomain
 	    names within
 	    that <em class="replaceable"><code>zone</code></em>.
 	    This option cannot be used with the <code class="option">-s</code> option.
 	  </p></dd>
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2656669"></a><h2>SEE ALSO</h2>
+<a name="id2658710"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">nsupdate</span>(1)</span>,
       <span class="citerefentry"><span class="refentrytitle">named.conf</span>(5)</span>,
       <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
       <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2656708"></a><h2>AUTHOR</h2>
+<a name="id2658817"></a><h2>AUTHOR</h2>
 <p><span class="corpauthor">Internet Systems Consortium</span>
     </p>
 </div>
 </div>
 <div class="navfooter">
 <hr>
 <table width="100%" summary="Navigation footer">
 <tr>
 <td width="40%" align="left">
 <a accesskey="p" href="man.rndc-confgen.html">Prev</a> </td>
 <td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
 <td width="40%" align="right"> <a accesskey="n" href="man.arpaname.html">Next</a>
 </td>
 </tr>
 <tr>
 <td width="40%" align="left" valign="top">
 <span class="application">rndc-confgen</span> </td>
 <td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
 <td width="40%" align="right" valign="top"> <span class="application">arpaname</span>
 </td>
 </tr>
 </table>
 </div>
-<p style="text-align: center;">BIND 9.9.7 (Extended Support Version)</p>
+<p style="text-align: center;">BIND 9.9.7-P2 (Extended Support Version)</p>
 </body>
 </html>
Index: stable/9/contrib/bind9/doc/arm/man.dig.html
===================================================================
--- stable/9/contrib/bind9/doc/arm/man.dig.html	(revision 286123)
+++ stable/9/contrib/bind9/doc/arm/man.dig.html	(revision 286124)
@@ -1,721 +1,721 @@
 <!--
  - Copyright (C) 2004-2015 Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000-2003 Internet Software Consortium.
  - 
  - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
  - copyright notice and this permission notice appear in all copies.
  - 
  - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
  - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
  - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
  - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
  - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 <!-- $Id$ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>dig</title>
 <meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
 <link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
 <link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
 <link rel="prev" href="Bv9ARM.ch13.html" title="Manual pages">
 <link rel="next" href="man.host.html" title="host">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
 <div class="navheader">
 <table width="100%" summary="Navigation header">
 <tr><th colspan="3" align="center">dig</th></tr>
 <tr>
 <td width="20%" align="left">
 <a accesskey="p" href="Bv9ARM.ch13.html">Prev</a> </td>
 <th width="60%" align="center">Manual pages</th>
 <td width="20%" align="right"> <a accesskey="n" href="man.host.html">Next</a>
 </td>
 </tr>
 </table>
 <hr>
 </div>
 <div class="refentry" lang="en">
 <a name="man.dig"></a><div class="titlepage"></div>
 <div class="refnamediv">
 <h2>Name</h2>
 <p>dig &#8212; DNS lookup utility</p>
 </div>
 <div class="refsynopsisdiv">
 <h2>Synopsis</h2>
 <div class="cmdsynopsis"><p><code class="command">dig</code>  [@server] [<code class="option">-b <em class="replaceable"><code>address</code></em></code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-f <em class="replaceable"><code>filename</code></em></code>] [<code class="option">-k <em class="replaceable"><code>filename</code></em></code>] [<code class="option">-m</code>] [<code class="option">-p <em class="replaceable"><code>port#</code></em></code>] [<code class="option">-q <em class="replaceable"><code>name</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v</code>] [<code class="option">-x <em class="replaceable"><code>addr</code></em></code>] [<code class="option">-y <em class="replaceable"><code>[<span class="optional">hmac:</span>]name:key</code></em></code>] [<code class="option">-4</code>] [<code class="option">-6</code>] [name] [type] [class] [queryopt...]</p></div>
 <div class="cmdsynopsis"><p><code class="command">dig</code>  [<code class="option">-h</code>]</p></div>
 <div class="cmdsynopsis"><p><code class="command">dig</code>  [global-queryopt...] [query...]</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2612260"></a><h2>DESCRIPTION</h2>
+<a name="id2611911"></a><h2>DESCRIPTION</h2>
 <p><span><strong class="command">dig</strong></span>
       (domain information groper) is a flexible tool
       for interrogating DNS name servers.  It performs DNS lookups and
       displays the answers that are returned from the name server(s) that
       were queried.  Most DNS administrators use <span><strong class="command">dig</strong></span> to
       troubleshoot DNS problems because of its flexibility, ease of use and
       clarity of output.  Other lookup tools tend to have less functionality
       than <span><strong class="command">dig</strong></span>.
     </p>
 <p>
       Although <span><strong class="command">dig</strong></span> is normally used with
       command-line
       arguments, it also has a batch mode of operation for reading lookup
       requests from a file.  A brief summary of its command-line arguments
       and options is printed when the <code class="option">-h</code> option is given.
       Unlike earlier versions, the BIND 9 implementation of
       <span><strong class="command">dig</strong></span> allows multiple lookups to be issued
       from the
       command line.
     </p>
 <p>
       Unless it is told to query a specific name server,
       <span><strong class="command">dig</strong></span> will try each of the servers listed in
       <code class="filename">/etc/resolv.conf</code>. If no usable server addresses
       are found, <span><strong class="command">dig</strong></span> will send the query to the local
       host.
     </p>
 <p>
       When no command line arguments or options are given,
       <span><strong class="command">dig</strong></span> will perform an NS query for "." (the root).
     </p>
 <p>
       It is possible to set per-user defaults for <span><strong class="command">dig</strong></span> via
       <code class="filename">${HOME}/.digrc</code>.  This file is read and
       any options in it
       are applied before the command line arguments.
     </p>
 <p>
       The IN and CH class names overlap with the IN and CH top level
       domain names.  Either use the <code class="option">-t</code> and
       <code class="option">-c</code> options to specify the type and class, 
       use the <code class="option">-q</code> the specify the domain name, or
       use "IN." and "CH." when looking up these top level domains.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2612362"></a><h2>SIMPLE USAGE</h2>
+<a name="id2612013"></a><h2>SIMPLE USAGE</h2>
 <p>
       A typical invocation of <span><strong class="command">dig</strong></span> looks like:
       </p>
 <pre class="programlisting"> dig @server name type </pre>
 <p>
       where:
 
       </p>
 <div class="variablelist"><dl>
 <dt><span class="term"><code class="constant">server</code></span></dt>
 <dd>
 <p>
 	      is the name or IP address of the name server to query.  This
 	      can be an IPv4 address in dotted-decimal notation or an IPv6
 	      address in colon-delimited notation.  When the supplied
 	      <em class="parameter"><code>server</code></em> argument is a hostname,
 	      <span><strong class="command">dig</strong></span> resolves that name before querying
 	      that name server.
 	    </p>
 <p>
 	      If no <em class="parameter"><code>server</code></em> argument is
 	      provided, <span><strong class="command">dig</strong></span> consults
 	      <code class="filename">/etc/resolv.conf</code>; if an
 	      address is found there, it queries the name server at
 	      that address. If either of the <code class="option">-4</code> or
 	      <code class="option">-6</code> options are in use, then
 	      only addresses for the corresponding transport
 	      will be tried.  If no usable addresses are found,
 	      <span><strong class="command">dig</strong></span> will send the query to the
 	      local host.  The reply from the name server that
 	      responds is displayed.
 	    </p>
 </dd>
 <dt><span class="term"><code class="constant">name</code></span></dt>
 <dd><p>
 	      is the name of the resource record that is to be looked up.
 	    </p></dd>
 <dt><span class="term"><code class="constant">type</code></span></dt>
 <dd><p>
 	      indicates what type of query is required &#8212;
 	      ANY, A, MX, SIG, etc.
 	      <em class="parameter"><code>type</code></em> can be any valid query
 	      type.  If no
 	      <em class="parameter"><code>type</code></em> argument is supplied,
 	      <span><strong class="command">dig</strong></span> will perform a lookup for an
 	      A record.
 	    </p></dd>
 </dl></div>
 <p>
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2612829"></a><h2>OPTIONS</h2>
+<a name="id2612276"></a><h2>OPTIONS</h2>
 <p>
       The <code class="option">-b</code> option sets the source IP address of the query
       to <em class="parameter"><code>address</code></em>.  This must be a valid
       address on
       one of the host's network interfaces or "0.0.0.0" or "::".  An optional
       port
       may be specified by appending "#&lt;port&gt;"
     </p>
 <p>
       The default query class (IN for internet) is overridden by the
       <code class="option">-c</code> option.  <em class="parameter"><code>class</code></em> is
       any valid
       class, such as HS for Hesiod records or CH for Chaosnet records.
     </p>
 <p>
       The <code class="option">-f</code> option makes <span><strong class="command">dig </strong></span>
       operate
       in batch mode by reading a list of lookup requests to process from the
       file <em class="parameter"><code>filename</code></em>.  The file contains a
       number of
       queries, one per line.  Each entry in the file should be organized in
       the same way they would be presented as queries to
       <span><strong class="command">dig</strong></span> using the command-line interface.
     </p>
 <p>
       The <code class="option">-m</code> option enables memory usage debugging.
       
     </p>
 <p>
       If a non-standard port number is to be queried, the
       <code class="option">-p</code> option is used.  <em class="parameter"><code>port#</code></em> is
       the port number that <span><strong class="command">dig</strong></span> will send its
       queries
       instead of the standard DNS port number 53.  This option would be used
       to test a name server that has been configured to listen for queries
       on a non-standard port number.
     </p>
 <p>
       The <code class="option">-4</code> option forces <span><strong class="command">dig</strong></span>
       to only
       use IPv4 query transport.  The <code class="option">-6</code> option forces
       <span><strong class="command">dig</strong></span> to only use IPv6 query transport.
     </p>
 <p>
       The <code class="option">-t</code> option sets the query type to
       <em class="parameter"><code>type</code></em>.  It can be any valid query type
       which is
       supported in BIND 9.  The default query type is "A", unless the
       <code class="option">-x</code> option is supplied to indicate a reverse lookup.
       A zone transfer can be requested by specifying a type of AXFR.  When
       an incremental zone transfer (IXFR) is required,
       <em class="parameter"><code>type</code></em> is set to <code class="literal">ixfr=N</code>.
       The incremental zone transfer will contain the changes made to the zone
       since the serial number in the zone's SOA record was
       <em class="parameter"><code>N</code></em>.
     </p>
 <p>
       The <code class="option">-q</code> option sets the query name to 
       <em class="parameter"><code>name</code></em>.  This is useful to distinguish the
       <em class="parameter"><code>name</code></em> from other arguments.
     </p>
 <p>
       The <code class="option">-v</code> causes <span><strong class="command">dig</strong></span> to
       print the version number and exit.
     </p>
 <p>
       Reverse lookups &#8212; mapping addresses to names &#8212; are simplified by the
       <code class="option">-x</code> option.  <em class="parameter"><code>addr</code></em> is
       an IPv4
       address in dotted-decimal notation, or a colon-delimited IPv6 address.
       When this option is used, there is no need to provide the
       <em class="parameter"><code>name</code></em>, <em class="parameter"><code>class</code></em> and
       <em class="parameter"><code>type</code></em> arguments.  <span><strong class="command">dig</strong></span>
       automatically performs a lookup for a name like
       <code class="literal">11.12.13.10.in-addr.arpa</code> and sets the
       query type and
       class to PTR and IN respectively.  By default, IPv6 addresses are
       looked up using nibble format under the IP6.ARPA domain.
       To use the older RFC1886 method using the IP6.INT domain
       specify the <code class="option">-i</code> option.  Bit string labels (RFC2874)
       are now experimental and are not attempted.
     </p>
 <p>
       To sign the DNS queries sent by <span><strong class="command">dig</strong></span> and
       their
       responses using transaction signatures (TSIG), specify a TSIG key file
       using the <code class="option">-k</code> option.  You can also specify the TSIG
       key itself on the command line using the <code class="option">-y</code> option;
       <em class="parameter"><code>hmac</code></em> is the type of the TSIG, default HMAC-MD5,
       <em class="parameter"><code>name</code></em> is the name of the TSIG key and
       <em class="parameter"><code>key</code></em> is the actual key.  The key is a
       base-64
       encoded string, typically generated by
       <span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>.
 
       Caution should be taken when using the <code class="option">-y</code> option on
       multi-user systems as the key can be visible in the output from
       <span class="citerefentry"><span class="refentrytitle">ps</span>(1)</span>
       or in the shell's history file.  When
       using TSIG authentication with <span><strong class="command">dig</strong></span>, the name
       server that is queried needs to know the key and algorithm that is
       being used.  In BIND, this is done by providing appropriate
       <span><strong class="command">key</strong></span> and <span><strong class="command">server</strong></span> statements in
       <code class="filename">named.conf</code>.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2664316"></a><h2>QUERY OPTIONS</h2>
+<a name="id2664309"></a><h2>QUERY OPTIONS</h2>
 <p><span><strong class="command">dig</strong></span>
       provides a number of query options which affect
       the way in which lookups are made and the results displayed.  Some of
       these set or reset flag bits in the query header, some determine which
       sections of the answer get printed, and others determine the timeout
       and retry strategies.
     </p>
 <p>
       Each query option is identified by a keyword preceded by a plus sign
       (<code class="literal">+</code>).  Some keywords set or reset an
       option.  These may be preceded
       by the string <code class="literal">no</code> to negate the meaning of
       that keyword.  Other
       keywords assign values to options like the timeout interval.  They
       have the form <code class="option">+keyword=value</code>.
       The query options are:
 
       </p>
 <div class="variablelist"><dl>
 <dt><span class="term"><code class="option">+[no]aaflag</code></span></dt>
 <dd><p>
 	      A synonym for <em class="parameter"><code>+[no]aaonly</code></em>.
 	    </p></dd>
 <dt><span class="term"><code class="option">+[no]aaonly</code></span></dt>
 <dd><p>
 	      Sets the "aa" flag in the query.
 	    </p></dd>
 <dt><span class="term"><code class="option">+[no]additional</code></span></dt>
 <dd><p>
 	      Display [do not display] the additional section of a
 	      reply.  The default is to display it.
 	    </p></dd>
 <dt><span class="term"><code class="option">+[no]adflag</code></span></dt>
 <dd><p>
 	      Set [do not set] the AD (authentic data) bit in the
 	      query.  This requests the server to return whether
 	      all of the answer and authority sections have all
 	      been validated as secure according to the security
 	      policy of the server.  AD=1 indicates that all records
 	      have been validated as secure and the answer is not
 	      from a OPT-OUT range.  AD=0 indicate that some part
 	      of the answer was insecure or not validated.  This
 	      bit is set by default.
 	    </p></dd>
 <dt><span class="term"><code class="option">+[no]all</code></span></dt>
 <dd><p>
 	      Set or clear all display flags.
 	    </p></dd>
 <dt><span class="term"><code class="option">+[no]answer</code></span></dt>
 <dd><p>
 	      Display [do not display] the answer section of a
 	      reply.  The default is to display it.
 	    </p></dd>
 <dt><span class="term"><code class="option">+[no]authority</code></span></dt>
 <dd><p>
 	      Display [do not display] the authority section of a
 	      reply.  The default is to display it.
 	    </p></dd>
 <dt><span class="term"><code class="option">+[no]besteffort</code></span></dt>
 <dd><p>
 	      Attempt to display the contents of messages which are
 	      malformed.  The default is to not display malformed
 	      answers.
 	    </p></dd>
 <dt><span class="term"><code class="option">+bufsize=B</code></span></dt>
 <dd><p>
 	      Set the UDP message buffer size advertised using EDNS0
 	      to <em class="parameter"><code>B</code></em> bytes.  The maximum and
 	      minimum sizes of this buffer are 65535 and 0 respectively.
 	      Values outside this range are rounded up or down
 	      appropriately.  Values other than zero will cause a
 	      EDNS query to be sent.
 	    </p></dd>
 <dt><span class="term"><code class="option">+[no]cdflag</code></span></dt>
 <dd><p>
 	      Set [do not set] the CD (checking disabled) bit in
 	      the query.  This requests the server to not perform
 	      DNSSEC validation of responses.
 	    </p></dd>
 <dt><span class="term"><code class="option">+[no]cl</code></span></dt>
 <dd><p>
 	      Display [do not display] the CLASS when printing the
 	      record.
 	    </p></dd>
 <dt><span class="term"><code class="option">+[no]cmd</code></span></dt>
 <dd><p>
 	      Toggles the printing of the initial comment in the
 	      output identifying the version of <span><strong class="command">dig</strong></span>
 	      and the query options that have been applied.  This
 	      comment is printed by default.
 	    </p></dd>
 <dt><span class="term"><code class="option">+[no]comments</code></span></dt>
 <dd><p>
 	      Toggle the display of comment lines in the output.
 	      The default is to print comments.
 	    </p></dd>
 <dt><span class="term"><code class="option">+[no]defname</code></span></dt>
 <dd><p>
 	      Deprecated, treated as a synonym for
 	      <em class="parameter"><code>+[no]search</code></em>
 	    </p></dd>
 <dt><span class="term"><code class="option">+[no]dnssec</code></span></dt>
 <dd><p>
 	      Requests DNSSEC records be sent by setting the DNSSEC
 	      OK bit (DO) in the OPT record in the additional section
 	      of the query.
 	    </p></dd>
 <dt><span class="term"><code class="option">+domain=somename</code></span></dt>
 <dd><p>
 	      Set the search list to contain the single domain
 	      <em class="parameter"><code>somename</code></em>, as if specified in
 	      a <span><strong class="command">domain</strong></span> directive in
 	      <code class="filename">/etc/resolv.conf</code>, and enable
 	      search list processing as if the
 	      <em class="parameter"><code>+search</code></em> option were given.
 	    </p></dd>
 <dt><span class="term"><code class="option">+[no]edns[=#]</code></span></dt>
 <dd><p>
 	       Specify the EDNS version to query with.  Valid values
 	       are 0 to 255.  Setting the EDNS version will cause
 	       a EDNS query to be sent.  <code class="option">+noedns</code>
 	       clears the remembered EDNS version.  EDNS is set to
 	       0 by default.
 	    </p></dd>
 <dt><span class="term"><code class="option">+[no]fail</code></span></dt>
 <dd><p>
 	      Do not try the next server if you receive a SERVFAIL.
 	      The default is to not try the next server which is
 	      the reverse of normal stub resolver behavior.
 	    </p></dd>
 <dt><span class="term"><code class="option">+[no]identify</code></span></dt>
 <dd><p>
 	      Show [or do not show] the IP address and port number
 	      that supplied the answer when the
 	      <em class="parameter"><code>+short</code></em> option is enabled.  If
 	      short form answers are requested, the default is not
 	      to show the source address and port number of the
 	      server that provided the answer.
 	    </p></dd>
 <dt><span class="term"><code class="option">+[no]ignore</code></span></dt>
 <dd><p>
 	      Ignore truncation in UDP responses instead of retrying
 	      with TCP.  By default, TCP retries are performed.
 	    </p></dd>
 <dt><span class="term"><code class="option">+[no]keepopen</code></span></dt>
 <dd><p>
 	      Keep the TCP socket open between queries and reuse
 	      it rather than creating a new TCP socket for each
 	      lookup.  The default is <code class="option">+nokeepopen</code>.
 	    </p></dd>
 <dt><span class="term"><code class="option">+[no]multiline</code></span></dt>
 <dd><p>
 	      Print records like the SOA records in a verbose
 	      multi-line format with human-readable comments.  The
 	      default is to print each record on a single line, to
 	      facilitate machine parsing of the <span><strong class="command">dig</strong></span>
 	      output.
 	    </p></dd>
 <dt><span class="term"><code class="option">+ndots=D</code></span></dt>
 <dd><p>
 	      Set the number of dots that have to appear in
 	      <em class="parameter"><code>name</code></em> to <em class="parameter"><code>D</code></em>
 	      for it to be considered absolute.  The default value
 	      is that defined using the ndots statement in
 	      <code class="filename">/etc/resolv.conf</code>, or 1 if no
 	      ndots statement is present.  Names with fewer dots
 	      are interpreted as relative names and will be searched
 	      for in the domains listed in the <code class="option">search</code>
 	      or <code class="option">domain</code> directive in
 	      <code class="filename">/etc/resolv.conf</code> if
 	      <code class="option">+search</code> is set.
 	    </p></dd>
 <dt><span class="term"><code class="option">+[no]nsid</code></span></dt>
 <dd><p>
 	      Include an EDNS name server ID request when sending
 	      a query.
 	    </p></dd>
 <dt><span class="term"><code class="option">+[no]nssearch</code></span></dt>
 <dd><p>
 	      When this option is set, <span><strong class="command">dig</strong></span>
 	      attempts to find the authoritative name servers for
 	      the zone containing the name being looked up and
 	      display the SOA record that each name server has for
 	      the zone.
 	    </p></dd>
 <dt><span class="term"><code class="option">+[no]onesoa</code></span></dt>
 <dd><p>
 	      Print only one (starting) SOA record when performing
 	      an AXFR. The default is to print both the starting
 	      and ending SOA records.
 	    </p></dd>
 <dt><span class="term"><code class="option">+[no]qr</code></span></dt>
 <dd><p>
 	      Print [do not print] the query as it is sent.  By
 	      default, the query is not printed.
 	    </p></dd>
 <dt><span class="term"><code class="option">+[no]question</code></span></dt>
 <dd><p>
 	      Print [do not print] the question section of a query
 	      when an answer is returned.  The default is to print
 	      the question section as a comment.
 	    </p></dd>
 <dt><span class="term"><code class="option">+[no]recurse</code></span></dt>
 <dd><p>
 	      Toggle the setting of the RD (recursion desired) bit
 	      in the query.  This bit is set by default, which means
 	      <span><strong class="command">dig</strong></span> normally sends recursive
 	      queries.  Recursion is automatically disabled when
 	      the <em class="parameter"><code>+nssearch</code></em> or
 	      <em class="parameter"><code>+trace</code></em> query options are used.
 	    </p></dd>
 <dt><span class="term"><code class="option">+retry=T</code></span></dt>
 <dd><p>
 	      Sets the number of times to retry UDP queries to
 	      server to <em class="parameter"><code>T</code></em> instead of the
 	      default, 2.  Unlike <em class="parameter"><code>+tries</code></em>,
 	      this does not include the initial query.
 	    </p></dd>
 <dt><span class="term"><code class="option">+[no]rrcomments</code></span></dt>
 <dd><p>
 	      Toggle the display of per-record comments in the
 	      output (for example, human-readable key information
 	      about DNSKEY records).  The default is not to print
 	      record comments unless multiline mode is active.
 	    </p></dd>
 <dt><span class="term"><code class="option">+[no]search</code></span></dt>
 <dd>
 <p>
 	      Use [do not use] the search list defined by the
 	      searchlist or domain directive in
 	      <code class="filename">resolv.conf</code> (if any).  The search
 	      list is not used by default.
 	    </p>
 <p>
 	      'ndots' from <code class="filename">resolv.conf</code> (default 1)
 	       which may be overridden by <em class="parameter"><code>+ndots</code></em>
 	      determines if the name will be treated as relative
 	      or not and hence whether a search is eventually
 	      performed or not.
 	    </p>
 </dd>
 <dt><span class="term"><code class="option">+[no]short</code></span></dt>
 <dd><p>
 	      Provide a terse answer.  The default is to print the
 	      answer in a verbose form.
 	    </p></dd>
 <dt><span class="term"><code class="option">+[no]showsearch</code></span></dt>
 <dd><p>
 	      Perform [do not perform] a search showing intermediate
 	      results.
 	    </p></dd>
 <dt><span class="term"><code class="option">+[no]sigchase</code></span></dt>
 <dd><p>
 	      Chase DNSSEC signature chains.  Requires dig be
 	      compiled with -DDIG_SIGCHASE.
 	    </p></dd>
 <dt><span class="term"><code class="option">+split=W</code></span></dt>
 <dd><p>
 	      Split long hex- or base64-formatted fields in resource
 	      records into chunks of <em class="parameter"><code>W</code></em>
 	      characters (where <em class="parameter"><code>W</code></em> is rounded
 	      up to the nearest multiple of 4).
 	      <em class="parameter"><code>+nosplit</code></em> or
 	      <em class="parameter"><code>+split=0</code></em> causes fields not to
 	      be split at all.  The default is 56 characters, or
 	      44 characters when multiline mode is active.
 	    </p></dd>
 <dt><span class="term"><code class="option">+[no]stats</code></span></dt>
 <dd><p>
 	      This query option toggles the printing of statistics:
 	      when the query was made, the size of the reply and
 	      so on.  The default behavior is to print the query
 	      statistics.
 	    </p></dd>
 <dt><span class="term"><code class="option">+[no]tcp</code></span></dt>
 <dd><p>
 	      Use [do not use] TCP when querying name servers. The
 	      default behavior is to use UDP unless an
 	      <code class="literal">ixfr=N</code> query is requested, in which
 	      case the default is TCP.  AXFR queries always use
 	      TCP.
 	    </p></dd>
 <dt><span class="term"><code class="option">+time=T</code></span></dt>
 <dd><p>
 
 	      Sets the timeout for a query to
 	      <em class="parameter"><code>T</code></em> seconds.  The default
 	      timeout is 5 seconds.
 	      An attempt to set <em class="parameter"><code>T</code></em> to less
 	      than 1 will result
 	      in a query timeout of 1 second being applied.
 	    </p></dd>
 <dt><span class="term"><code class="option">+[no]topdown</code></span></dt>
 <dd><p>
 	      When chasing DNSSEC signature chains perform a top-down
 	      validation.  Requires dig be compiled with -DDIG_SIGCHASE.
 	    </p></dd>
 <dt><span class="term"><code class="option">+[no]trace</code></span></dt>
 <dd>
 <p>
 	      Toggle tracing of the delegation path from the root
 	      name servers for the name being looked up.  Tracing
 	      is disabled by default.  When tracing is enabled,
 	      <span><strong class="command">dig</strong></span> makes iterative queries to
 	      resolve the name being looked up.  It will follow
 	      referrals from the root servers, showing the answer
 	      from each server that was used to resolve the lookup.
 	    </p>
 <p>
 	      <span><strong class="command">+dnssec</strong></span> is also set when +trace
 	      is set to better emulate the default queries from a
 	      nameserver.
 	    </p>
 </dd>
 <dt><span class="term"><code class="option">+tries=T</code></span></dt>
 <dd><p>
 	      Sets the number of times to try UDP queries to server
 	      to <em class="parameter"><code>T</code></em> instead of the default,
 	      3.  If <em class="parameter"><code>T</code></em> is less than or equal
 	      to zero, the number of tries is silently rounded up
 	      to 1.
 	    </p></dd>
 <dt><span class="term"><code class="option">+trusted-key=####</code></span></dt>
 <dd>
 <p>
 	      Specifies a file containing trusted keys to be used
 	      with <code class="option">+sigchase</code>.  Each DNSKEY record
 	      must be on its own line.
 	    </p>
 <p>
 	      If not specified, <span><strong class="command">dig</strong></span> will look
 	      for <code class="filename">/etc/trusted-key.key</code> then
 	      <code class="filename">trusted-key.key</code> in the current
 	      directory.
 	    </p>
 <p>
 	      Requires dig be compiled with -DDIG_SIGCHASE.
 	    </p>
 </dd>
 <dt><span class="term"><code class="option">+[no]ttlid</code></span></dt>
 <dd><p>
 	      Display [do not display] the TTL when printing the
 	      record.
 	    </p></dd>
 <dt><span class="term"><code class="option">+[no]vc</code></span></dt>
 <dd><p>
 	      Use [do not use] TCP when querying name servers.  This
 	      alternate syntax to <em class="parameter"><code>+[no]tcp</code></em>
 	      is provided for backwards compatibility.  The "vc"
 	      stands for "virtual circuit".
 	    </p></dd>
 </dl></div>
 <p>
 
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2665499"></a><h2>MULTIPLE QUERIES</h2>
+<a name="id2665492"></a><h2>MULTIPLE QUERIES</h2>
 <p>
       The BIND 9 implementation of <span><strong class="command">dig </strong></span>
       supports
       specifying multiple queries on the command line (in addition to
       supporting the <code class="option">-f</code> batch file option).  Each of those
       queries can be supplied with its own set of flags, options and query
       options.
     </p>
 <p>
       In this case, each <em class="parameter"><code>query</code></em> argument
       represent an
       individual query in the command-line syntax described above.  Each
       consists of any of the standard options and flags, the name to be
       looked up, an optional query type and class and any query options that
       should be applied to that query.
     </p>
 <p>
       A global set of query options, which should be applied to all queries,
       can also be supplied.  These global query options must precede the
       first tuple of name, class, type, options, flags, and query options
       supplied on the command line.  Any global query options (except
       the <code class="option">+[no]cmd</code> option) can be
       overridden by a query-specific set of query options.  For example:
       </p>
 <pre class="programlisting">
 dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
 </pre>
 <p>
       shows how <span><strong class="command">dig</strong></span> could be used from the
       command line
       to make three lookups: an ANY query for <code class="literal">www.isc.org</code>, a
       reverse lookup of 127.0.0.1 and a query for the NS records of
       <code class="literal">isc.org</code>.
 
       A global query option of <em class="parameter"><code>+qr</code></em> is
       applied, so
       that <span><strong class="command">dig</strong></span> shows the initial query it made
       for each
       lookup.  The final query has a local query option of
       <em class="parameter"><code>+noqr</code></em> which means that <span><strong class="command">dig</strong></span>
       will not print the initial query when it looks up the NS records for
       <code class="literal">isc.org</code>.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2665653"></a><h2>IDN SUPPORT</h2>
+<a name="id2665577"></a><h2>IDN SUPPORT</h2>
 <p>
       If <span><strong class="command">dig</strong></span> has been built with IDN (internationalized
       domain name) support, it can accept and display non-ASCII domain names.
       <span><strong class="command">dig</strong></span> appropriately converts character encoding of
       domain name before sending a request to DNS server or displaying a
       reply from the server.
       If you'd like to turn off the IDN support for some reason, defines
       the <code class="envar">IDN_DISABLE</code> environment variable.
       The IDN support is disabled if the variable is set when 
       <span><strong class="command">dig</strong></span> runs.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2665750"></a><h2>FILES</h2>
+<a name="id2665606"></a><h2>FILES</h2>
 <p><code class="filename">/etc/resolv.conf</code>
     </p>
 <p><code class="filename">${HOME}/.digrc</code>
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2665771"></a><h2>SEE ALSO</h2>
+<a name="id2665627"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">host</span>(1)</span>,
       <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
       <span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
       <em class="citetitle">RFC1035</em>.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2665809"></a><h2>BUGS</h2>
+<a name="id2665665"></a><h2>BUGS</h2>
 <p>
       There are probably too many query options.
     </p>
 </div>
 </div>
 <div class="navfooter">
 <hr>
 <table width="100%" summary="Navigation footer">
 <tr>
 <td width="40%" align="left">
 <a accesskey="p" href="Bv9ARM.ch13.html">Prev</a> </td>
 <td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
 <td width="40%" align="right"> <a accesskey="n" href="man.host.html">Next</a>
 </td>
 </tr>
 <tr>
 <td width="40%" align="left" valign="top">Manual pages </td>
 <td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
 <td width="40%" align="right" valign="top"> host</td>
 </tr>
 </table>
 </div>
-<p style="text-align: center;">BIND 9.9.7 (Extended Support Version)</p>
+<p style="text-align: center;">BIND 9.9.7-P2 (Extended Support Version)</p>
 </body>
 </html>
Index: stable/9/contrib/bind9/doc/arm/man.dnssec-checkds.html
===================================================================
--- stable/9/contrib/bind9/doc/arm/man.dnssec-checkds.html	(revision 286123)
+++ stable/9/contrib/bind9/doc/arm/man.dnssec-checkds.html	(revision 286124)
@@ -1,123 +1,123 @@
 <!--
  - Copyright (C) 2004-2015 Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000-2003 Internet Software Consortium.
  - 
  - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
  - copyright notice and this permission notice appear in all copies.
  - 
  - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
  - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
  - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
  - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
  - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 <!-- $Id$ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>dnssec-checkds</title>
 <meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
 <link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
 <link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
 <link rel="prev" href="man.host.html" title="host">
 <link rel="next" href="man.dnssec-coverage.html" title="dnssec-coverage">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
 <div class="navheader">
 <table width="100%" summary="Navigation header">
 <tr><th colspan="3" align="center"><span class="application">dnssec-checkds</span></th></tr>
 <tr>
 <td width="20%" align="left">
 <a accesskey="p" href="man.host.html">Prev</a> </td>
 <th width="60%" align="center">Manual pages</th>
 <td width="20%" align="right"> <a accesskey="n" href="man.dnssec-coverage.html">Next</a>
 </td>
 </tr>
 </table>
 <hr>
 </div>
 <div class="refentry" lang="en">
 <a name="man.dnssec-checkds"></a><div class="titlepage"></div>
 <div class="refnamediv">
 <h2>Name</h2>
 <p><span class="application">dnssec-checkds</span> &#8212; A DNSSEC delegation consistency checking tool.</p>
 </div>
 <div class="refsynopsisdiv">
 <h2>Synopsis</h2>
 <div class="cmdsynopsis"><p><code class="command">dnssec-checkds</code>  [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-f <em class="replaceable"><code>file</code></em></code>] [<code class="option">-d <em class="replaceable"><code>dig path</code></em></code>] [<code class="option">-D <em class="replaceable"><code>dsfromkey path</code></em></code>] {zone}</p></div>
 <div class="cmdsynopsis"><p><code class="command">dnssec-dsfromkey</code>  [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-f <em class="replaceable"><code>file</code></em></code>] [<code class="option">-d <em class="replaceable"><code>dig path</code></em></code>] [<code class="option">-D <em class="replaceable"><code>dsfromkey path</code></em></code>] {zone}</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2614344"></a><h2>DESCRIPTION</h2>
+<a name="id2614337"></a><h2>DESCRIPTION</h2>
 <p><span><strong class="command">dnssec-checkds</strong></span>
       verifies the correctness of Delegation Signer (DS) or DNSSEC
       Lookaside Validation (DLV) resource records for keys in a specified
       zone.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2614358"></a><h2>OPTIONS</h2>
+<a name="id2614350"></a><h2>OPTIONS</h2>
 <div class="variablelist"><dl>
 <dt><span class="term">-f <em class="replaceable"><code>file</code></em></span></dt>
 <dd><p>
             If a <code class="option">file</code> is specified, then the zone is
             read from that file to find the DNSKEY records.  If not,
             then the DNSKEY records for the zone are looked up in the DNS.
           </p></dd>
 <dt><span class="term">-l <em class="replaceable"><code>domain</code></em></span></dt>
 <dd><p>
             Check for a DLV record in the specified lookaside domain, 
             instead of checking for a DS record in the zone's parent.
             For example, to check for DLV records for "example.com"
             in ISC's DLV zone, use:
             <span><strong class="command">dnssec-checkds -l dlv.isc.org example.com</strong></span>
           </p></dd>
 <dt><span class="term">-d <em class="replaceable"><code>dig path</code></em></span></dt>
 <dd><p>
             Specifies a path to a <span><strong class="command">dig</strong></span> binary.  Used
             for testing.
           </p></dd>
 <dt><span class="term">-D <em class="replaceable"><code>dsfromkey path</code></em></span></dt>
 <dd><p>
             Specifies a path to a <span><strong class="command">dnssec-dsfromkey</strong></span> binary.
             Used for testing.
           </p></dd>
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2614460"></a><h2>SEE ALSO</h2>
+<a name="id2614453"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">dnssec-dsfromkey</span>(8)</span>,
       <span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
       <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2614494"></a><h2>AUTHOR</h2>
+<a name="id2614487"></a><h2>AUTHOR</h2>
 <p><span class="corpauthor">Internet Systems Consortium</span>
     </p>
 </div>
 </div>
 <div class="navfooter">
 <hr>
 <table width="100%" summary="Navigation footer">
 <tr>
 <td width="40%" align="left">
 <a accesskey="p" href="man.host.html">Prev</a> </td>
 <td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
 <td width="40%" align="right"> <a accesskey="n" href="man.dnssec-coverage.html">Next</a>
 </td>
 </tr>
 <tr>
 <td width="40%" align="left" valign="top">host </td>
 <td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
 <td width="40%" align="right" valign="top"> <span class="application">dnssec-coverage</span>
 </td>
 </tr>
 </table>
 </div>
-<p style="text-align: center;">BIND 9.9.7 (Extended Support Version)</p>
+<p style="text-align: center;">BIND 9.9.7-P2 (Extended Support Version)</p>
 </body>
 </html>
Index: stable/9/contrib/bind9/doc/arm/man.dnssec-coverage.html
===================================================================
--- stable/9/contrib/bind9/doc/arm/man.dnssec-coverage.html	(revision 286123)
+++ stable/9/contrib/bind9/doc/arm/man.dnssec-coverage.html	(revision 286124)
@@ -1,206 +1,206 @@
 <!--
  - Copyright (C) 2004-2015 Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000-2003 Internet Software Consortium.
  - 
  - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
  - copyright notice and this permission notice appear in all copies.
  - 
  - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
  - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
  - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
  - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
  - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 <!-- $Id$ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>dnssec-coverage</title>
 <meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
 <link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
 <link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
 <link rel="prev" href="man.dnssec-checkds.html" title="dnssec-checkds">
 <link rel="next" href="man.dnssec-dsfromkey.html" title="dnssec-dsfromkey">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
 <div class="navheader">
 <table width="100%" summary="Navigation header">
 <tr><th colspan="3" align="center"><span class="application">dnssec-coverage</span></th></tr>
 <tr>
 <td width="20%" align="left">
 <a accesskey="p" href="man.dnssec-checkds.html">Prev</a> </td>
 <th width="60%" align="center">Manual pages</th>
 <td width="20%" align="right"> <a accesskey="n" href="man.dnssec-dsfromkey.html">Next</a>
 </td>
 </tr>
 </table>
 <hr>
 </div>
 <div class="refentry" lang="en">
 <a name="man.dnssec-coverage"></a><div class="titlepage"></div>
 <div class="refnamediv">
 <h2>Name</h2>
 <p><span class="application">dnssec-coverage</span> &#8212; checks future DNSKEY coverage for a zone</p>
 </div>
 <div class="refsynopsisdiv">
 <h2>Synopsis</h2>
 <div class="cmdsynopsis"><p><code class="command">dnssec-coverage</code>  [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-f <em class="replaceable"><code>file</code></em></code>] [<code class="option">-d <em class="replaceable"><code>DNSKEY TTL</code></em></code>] [<code class="option">-m <em class="replaceable"><code>max TTL</code></em></code>] [<code class="option">-r <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-c <em class="replaceable"><code>compilezone path</code></em></code>] [zone]</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2615065"></a><h2>DESCRIPTION</h2>
+<a name="id2614580"></a><h2>DESCRIPTION</h2>
 <p><span><strong class="command">dnssec-coverage</strong></span>
       verifies that the DNSSEC keys for a given zone or a set of zones
       have timing metadata set properly to ensure no future lapses in DNSSEC
       coverage.
     </p>
 <p>
       If <code class="option">zone</code> is specified, then keys found in
       the key repository matching that zone are scanned, and an ordered
       list is generated of the events scheduled for that key (i.e.,
       publication, activation, inactivation, deletion).  The list of
       events is walked in order of occurrence.  Warnings are generated
       if any event is scheduled which could cause the zone to enter a
       state in which validation failures might occur: for example, if
       the number of published or active keys for a given algorithm drops
       to zero, or if a key is deleted from the zone too soon after a new
       key is rolled, and cached data signed by the prior key has not had
       time to expire from resolver caches.
     </p>
 <p>
       If <code class="option">zone</code> is not specified, then all keys in the
       key repository will be scanned, and all zones for which there are
       keys will be analyzed.  (Note: This method of reporting is only
       accurate if all the zones that have keys in a given repository
       share the same TTL parameters.)
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2615160"></a><h2>OPTIONS</h2>
+<a name="id2614606"></a><h2>OPTIONS</h2>
 <div class="variablelist"><dl>
 <dt><span class="term">-f <em class="replaceable"><code>file</code></em></span></dt>
 <dd><p>
             If a <code class="option">file</code> is specified, then the zone is
             read from that file; the largest TTL and the DNSKEY TTL are
             determined directly from the zone data, and the
             <code class="option">-m</code> and <code class="option">-d</code> options do
             not need to be specified on the command line.
           </p></dd>
 <dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
 <dd><p>
             Sets the directory in which keys can be found.  Defaults to the
             current working directory.
           </p></dd>
 <dt><span class="term">-m <em class="replaceable"><code>maximum TTL</code></em></span></dt>
 <dd>
 <p>
             Sets the value to be used as the maximum TTL for the zone or
             zones being analyzed when determining whether there is a
             possibility of validation failure.  When a zone-signing key is
             deactivated, there must be enough time for the record in the
             zone with the longest TTL to have expired from resolver caches
             before that key can be purged from the DNSKEY RRset.  If that
             condition does not apply, a warning will be generated.
           </p>
 <p>
             The length of the TTL can be set in seconds, or in larger units
             of time by adding a suffix: 'mi' for minutes, 'h' for hours,
             'd' for days, 'w' for weeks, 'mo' for months, 'y' for years.
           </p>
 <p>
             This option is mandatory unless the <code class="option">-f</code> has
             been used to specify a zone file.  (If <code class="option">-f</code> has
             been specified, this option may still be used; it will override
             the value found in the file.)
           </p>
 </dd>
 <dt><span class="term">-d <em class="replaceable"><code>DNSKEY TTL</code></em></span></dt>
 <dd>
 <p>
             Sets the value to be used as the DNSKEY TTL for the zone or
             zones being analyzed when determining whether there is a
             possibility of validation failure.  When a key is rolled (that
             is, replaced with a new key), there must be enough time
             for the old DNSKEY RRset to have expired from resolver caches
             before the new key is activated and begins generating
             signatures.  If that condition does not apply, a warning
             will be generated.
           </p>
 <p>
             The length of the TTL can be set in seconds, or in larger units
             of time by adding a suffix: 'mi' for minutes, 'h' for hours,
             'd' for days, 'w' for weeks, 'mo' for months, 'y' for years.
           </p>
 <p>
             This option is mandatory unless the <code class="option">-f</code> has
             been used to specify a zone file, or a default key TTL was
             set with the <code class="option">-L</code> to
             <span><strong class="command">dnssec-keygen</strong></span>.  (If either of those is true,
             this option may still be used; it will override the value found
             in the zone or key file.)
           </p>
 </dd>
 <dt><span class="term">-r <em class="replaceable"><code>resign interval</code></em></span></dt>
 <dd>
 <p>
             Sets the value to be used as the resign interval for the zone
             or zones being analyzed when determining whether there is a
             possibility of validation failure.  This value defaults to
             22.5 days, which is also the default in
             <span><strong class="command">named</strong></span>.  However, if it has been changed
             by the <code class="option">sig-validity-interval</code> option in
             <code class="filename">named.conf</code>, then it should also be
             changed here.
           </p>
 <p>
             The length of the interval can be set in seconds, or in larger
             units of time by adding a suffix: 'mi' for minutes, 'h' for hours,
             'd' for days, 'w' for weeks, 'mo' for months, 'y' for years.
           </p>
 </dd>
 <dt><span class="term">-c <em class="replaceable"><code>compilezone path</code></em></span></dt>
 <dd><p>
             Specifies a path to a <span><strong class="command">named-compilezone</strong></span> binary.
             Used for testing.
           </p></dd>
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2615411"></a><h2>SEE ALSO</h2>
+<a name="id2615335"></a><h2>SEE ALSO</h2>
 <p>
       <span class="citerefentry"><span class="refentrytitle">dnssec-checkds</span>(8)</span>,
       <span class="citerefentry"><span class="refentrytitle">dnssec-dsfromkey</span>(8)</span>,
       <span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
       <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2615454"></a><h2>AUTHOR</h2>
+<a name="id2615379"></a><h2>AUTHOR</h2>
 <p><span class="corpauthor">Internet Systems Consortium</span>
     </p>
 </div>
 </div>
 <div class="navfooter">
 <hr>
 <table width="100%" summary="Navigation footer">
 <tr>
 <td width="40%" align="left">
 <a accesskey="p" href="man.dnssec-checkds.html">Prev</a> </td>
 <td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
 <td width="40%" align="right"> <a accesskey="n" href="man.dnssec-dsfromkey.html">Next</a>
 </td>
 </tr>
 <tr>
 <td width="40%" align="left" valign="top">
 <span class="application">dnssec-checkds</span> </td>
 <td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
 <td width="40%" align="right" valign="top"> <span class="application">dnssec-dsfromkey</span>
 </td>
 </tr>
 </table>
 </div>
-<p style="text-align: center;">BIND 9.9.7 (Extended Support Version)</p>
+<p style="text-align: center;">BIND 9.9.7-P2 (Extended Support Version)</p>
 </body>
 </html>
Index: stable/9/contrib/bind9/doc/arm/man.dnssec-dsfromkey.html
===================================================================
--- stable/9/contrib/bind9/doc/arm/man.dnssec-dsfromkey.html	(revision 286123)
+++ stable/9/contrib/bind9/doc/arm/man.dnssec-dsfromkey.html	(revision 286124)
@@ -1,218 +1,218 @@
 <!--
  - Copyright (C) 2004-2015 Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000-2003 Internet Software Consortium.
  - 
  - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
  - copyright notice and this permission notice appear in all copies.
  - 
  - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
  - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
  - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
  - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
  - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 <!-- $Id$ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>dnssec-dsfromkey</title>
 <meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
 <link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
 <link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
 <link rel="prev" href="man.dnssec-coverage.html" title="dnssec-coverage">
 <link rel="next" href="man.dnssec-keyfromlabel.html" title="dnssec-keyfromlabel">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
 <div class="navheader">
 <table width="100%" summary="Navigation header">
 <tr><th colspan="3" align="center"><span class="application">dnssec-dsfromkey</span></th></tr>
 <tr>
 <td width="20%" align="left">
 <a accesskey="p" href="man.dnssec-coverage.html">Prev</a> </td>
 <th width="60%" align="center">Manual pages</th>
 <td width="20%" align="right"> <a accesskey="n" href="man.dnssec-keyfromlabel.html">Next</a>
 </td>
 </tr>
 </table>
 <hr>
 </div>
 <div class="refentry" lang="en">
 <a name="man.dnssec-dsfromkey"></a><div class="titlepage"></div>
 <div class="refnamediv">
 <h2>Name</h2>
 <p><span class="application">dnssec-dsfromkey</span> &#8212; DNSSEC DS RR generation tool</p>
 </div>
 <div class="refsynopsisdiv">
 <h2>Synopsis</h2>
 <div class="cmdsynopsis"><p><code class="command">dnssec-dsfromkey</code>  [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-1</code>] [<code class="option">-2</code>] [<code class="option">-a <em class="replaceable"><code>alg</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-T <em class="replaceable"><code>TTL</code></em></code>] {keyfile}</p></div>
 <div class="cmdsynopsis"><p><code class="command">dnssec-dsfromkey</code>  {-s} [<code class="option">-1</code>] [<code class="option">-2</code>] [<code class="option">-a <em class="replaceable"><code>alg</code></em></code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-s</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-T <em class="replaceable"><code>TTL</code></em></code>] [<code class="option">-f <em class="replaceable"><code>file</code></em></code>] [<code class="option">-A</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] {dnsname}</p></div>
 <div class="cmdsynopsis"><p><code class="command">dnssec-dsfromkey</code>  [<code class="option">-h</code>] [<code class="option">-V</code>]</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2616890"></a><h2>DESCRIPTION</h2>
+<a name="id2615790"></a><h2>DESCRIPTION</h2>
 <p><span><strong class="command">dnssec-dsfromkey</strong></span>
       outputs the Delegation Signer (DS) resource record (RR), as defined in
       RFC 3658 and RFC 4509, for the given key(s).
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2616904"></a><h2>OPTIONS</h2>
+<a name="id2615804"></a><h2>OPTIONS</h2>
 <div class="variablelist"><dl>
 <dt><span class="term">-1</span></dt>
 <dd><p>
             Use SHA-1 as the digest algorithm (the default is to use
             both SHA-1 and SHA-256).
           </p></dd>
 <dt><span class="term">-2</span></dt>
 <dd><p>
             Use SHA-256 as the digest algorithm.
           </p></dd>
 <dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
 <dd><p>
             Select the digest algorithm. The value of
             <code class="option">algorithm</code> must be one of SHA-1 (SHA1),
             SHA-256 (SHA256), GOST or SHA-384 (SHA384).
             These values are case insensitive.
           </p></dd>
 <dt><span class="term">-T <em class="replaceable"><code>TTL</code></em></span></dt>
 <dd><p>
             Specifies the TTL of the DS records.
           </p></dd>
 <dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
 <dd><p>
             Look for key files (or, in keyset mode,
             <code class="filename">keyset-</code> files) in
             <code class="option">directory</code>.
           </p></dd>
 <dt><span class="term">-f <em class="replaceable"><code>file</code></em></span></dt>
 <dd>
 <p>
             Zone file mode: in place of the keyfile name, the argument is
             the DNS domain name of a zone master file, which can be read
             from <code class="option">file</code>.  If the zone name is the same as
             <code class="option">file</code>, then it may be omitted.
           </p>
 <p>
             If <code class="option">file</code> is set to <code class="literal">"-"</code>, then
             the zone data is read from the standard input.  This makes it
             possible to use the output of the <span><strong class="command">dig</strong></span>
             command as input, as in:
           </p>
 <p>
             <strong class="userinput"><code>dig dnskey example.com | dnssec-dsfromkey -f - example.com</code></strong>
           </p>
 </dd>
 <dt><span class="term">-A</span></dt>
 <dd><p>
             Include ZSK's when generating DS records.  Without this option,
             only keys which have the KSK flag set will be converted to DS
             records and printed.  Useful only in zone file mode. 
           </p></dd>
 <dt><span class="term">-l <em class="replaceable"><code>domain</code></em></span></dt>
 <dd><p>
             Generate a DLV set instead of a DS set.  The specified
             <code class="option">domain</code> is appended to the name for each
             record in the set.
             The DNSSEC Lookaside Validation (DLV) RR is described
             in RFC 4431.
           </p></dd>
 <dt><span class="term">-s</span></dt>
 <dd><p>
             Keyset mode: in place of the keyfile name, the argument is
             the DNS domain name of a keyset file.
           </p></dd>
 <dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
 <dd><p>
             Specifies the DNS class (default is IN).  Useful only
             in keyset or zone file mode.
           </p></dd>
 <dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
 <dd><p>
             Sets the debugging level.
           </p></dd>
 <dt><span class="term">-h</span></dt>
 <dd><p>
             Prints usage information.
           </p></dd>
 <dt><span class="term">-V</span></dt>
 <dd><p>
             Prints version information.
           </p></dd>
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2618395"></a><h2>EXAMPLE</h2>
+<a name="id2616476"></a><h2>EXAMPLE</h2>
 <p>
       To build the SHA-256 DS RR from the
       <strong class="userinput"><code>Kexample.com.+003+26160</code></strong>
       keyfile name, the following command would be issued:
     </p>
 <p><strong class="userinput"><code>dnssec-dsfromkey -2 Kexample.com.+003+26160</code></strong>
     </p>
 <p>
       The command would print something like:
     </p>
 <p><strong class="userinput"><code>example.com. IN DS 26160 5 2 3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0 C5EA0B94</code></strong>
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2618432"></a><h2>FILES</h2>
+<a name="id2616513"></a><h2>FILES</h2>
 <p>
       The keyfile can be designed by the key identification
       <code class="filename">Knnnn.+aaa+iiiii</code> or the full file name
       <code class="filename">Knnnn.+aaa+iiiii.key</code> as generated by
       <span class="refentrytitle">dnssec-keygen</span>(8).
     </p>
 <p>
       The keyset file name is built from the <code class="option">directory</code>,
       the string <code class="filename">keyset-</code> and the
       <code class="option">dnsname</code>.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2618473"></a><h2>CAVEAT</h2>
+<a name="id2617510"></a><h2>CAVEAT</h2>
 <p>
       A keyfile error can give a "file not found" even if the file exists.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2618483"></a><h2>SEE ALSO</h2>
+<a name="id2617520"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
       <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
       <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
       <em class="citetitle">RFC 3658</em>,
       <em class="citetitle">RFC 4431</em>.
       <em class="citetitle">RFC 4509</em>.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2618522"></a><h2>AUTHOR</h2>
+<a name="id2617559"></a><h2>AUTHOR</h2>
 <p><span class="corpauthor">Internet Systems Consortium</span>
     </p>
 </div>
 </div>
 <div class="navfooter">
 <hr>
 <table width="100%" summary="Navigation footer">
 <tr>
 <td width="40%" align="left">
 <a accesskey="p" href="man.dnssec-coverage.html">Prev</a> </td>
 <td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
 <td width="40%" align="right"> <a accesskey="n" href="man.dnssec-keyfromlabel.html">Next</a>
 </td>
 </tr>
 <tr>
 <td width="40%" align="left" valign="top">
 <span class="application">dnssec-coverage</span> </td>
 <td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
 <td width="40%" align="right" valign="top"> <span class="application">dnssec-keyfromlabel</span>
 </td>
 </tr>
 </table>
 </div>
-<p style="text-align: center;">BIND 9.9.7 (Extended Support Version)</p>
+<p style="text-align: center;">BIND 9.9.7-P2 (Extended Support Version)</p>
 </body>
 </html>
Index: stable/9/contrib/bind9/doc/arm/man.dnssec-keyfromlabel.html
===================================================================
--- stable/9/contrib/bind9/doc/arm/man.dnssec-keyfromlabel.html	(revision 286123)
+++ stable/9/contrib/bind9/doc/arm/man.dnssec-keyfromlabel.html	(revision 286124)
@@ -1,357 +1,357 @@
 <!--
  - Copyright (C) 2004-2015 Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000-2003 Internet Software Consortium.
  - 
  - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
  - copyright notice and this permission notice appear in all copies.
  - 
  - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
  - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
  - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
  - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
  - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 <!-- $Id$ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>dnssec-keyfromlabel</title>
 <meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
 <link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
 <link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
 <link rel="prev" href="man.dnssec-dsfromkey.html" title="dnssec-dsfromkey">
 <link rel="next" href="man.dnssec-keygen.html" title="dnssec-keygen">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
 <div class="navheader">
 <table width="100%" summary="Navigation header">
 <tr><th colspan="3" align="center"><span class="application">dnssec-keyfromlabel</span></th></tr>
 <tr>
 <td width="20%" align="left">
 <a accesskey="p" href="man.dnssec-dsfromkey.html">Prev</a> </td>
 <th width="60%" align="center">Manual pages</th>
 <td width="20%" align="right"> <a accesskey="n" href="man.dnssec-keygen.html">Next</a>
 </td>
 </tr>
 </table>
 <hr>
 </div>
 <div class="refentry" lang="en">
 <a name="man.dnssec-keyfromlabel"></a><div class="titlepage"></div>
 <div class="refnamediv">
 <h2>Name</h2>
 <p><span class="application">dnssec-keyfromlabel</span> &#8212; DNSSEC key generation tool</p>
 </div>
 <div class="refsynopsisdiv">
 <h2>Synopsis</h2>
 <div class="cmdsynopsis"><p><code class="command">dnssec-keyfromlabel</code>  {-l <em class="replaceable"><code>label</code></em>} [<code class="option">-3</code>] [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-G</code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-k</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-S <em class="replaceable"><code>key</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-V</code>] [<code class="option">-y</code>] {name}</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2617657"></a><h2>DESCRIPTION</h2>
+<a name="id2616899"></a><h2>DESCRIPTION</h2>
 <p><span><strong class="command">dnssec-keyfromlabel</strong></span>
       generates a key pair of files that referencing a key object stored
       in a cryptographic hardware service module (HSM).  The private key
       file can be used for DNSSEC signing of zone data as if it were a
       conventional signing key created by <span><strong class="command">dnssec-keygen</strong></span>,
       but the key material is stored within the HSM, and the actual signing
       takes place there.
     </p>
 <p>
       The <code class="option">name</code> of the key is specified on the command
       line.  This must match the name of the zone for which the key is
       being generated.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2617683"></a><h2>OPTIONS</h2>
+<a name="id2616924"></a><h2>OPTIONS</h2>
 <div class="variablelist"><dl>
 <dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
 <dd>
 <p>
 	    Selects the cryptographic algorithm.  The value of
             <code class="option">algorithm</code> must be one of RSAMD5, RSASHA1,
 	    DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST,
 	    ECDSAP256SHA256 or ECDSAP384SHA384.
 	    These values are case insensitive.
 	  </p>
 <p>
             If no algorithm is specified, then RSASHA1 will be used by
             default, unless the <code class="option">-3</code> option is specified,
             in which case NSEC3RSASHA1 will be used instead.  (If
             <code class="option">-3</code> is used and an algorithm is specified,
             that algorithm will be checked for compatibility with NSEC3.)
           </p>
 <p>
             Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
             algorithm, and DSA is recommended.
           </p>
 <p>
             Note 2: DH automatically sets the -k flag.
           </p>
 </dd>
 <dt><span class="term">-3</span></dt>
 <dd><p>
 	    Use an NSEC3-capable algorithm to generate a DNSSEC key.
             If this option is used and no algorithm is explicitly
             set on the command line, NSEC3RSASHA1 will be used by
             default.
           </p></dd>
 <dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
 <dd><p>
             Specifies the name of the crypto hardware (OpenSSL engine).
             When compiled with PKCS#11 support it defaults to "pkcs11".
           </p></dd>
 <dt><span class="term">-l <em class="replaceable"><code>label</code></em></span></dt>
 <dd><p>
             Specifies the label of the key pair in the crypto hardware.
             The label may be preceded by an optional OpenSSL engine name,
             separated by a colon, as in "pkcs11:keylabel".
           </p></dd>
 <dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt>
 <dd><p>
             Specifies the owner type of the key.  The value of
             <code class="option">nametype</code> must either be ZONE (for a DNSSEC
             zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
             a host (KEY)),
             USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
             These values are case insensitive.
           </p></dd>
 <dt><span class="term">-C</span></dt>
 <dd><p>
 	    Compatibility mode:  generates an old-style key, without
 	    any metadata.  By default, <span><strong class="command">dnssec-keyfromlabel</strong></span>
 	    will include the key's creation date in the metadata stored
 	    with the private key, and other dates may be set there as well
 	    (publication date, activation date, etc).  Keys that include
 	    this data may be incompatible with older versions of BIND; the
 	    <code class="option">-C</code> option suppresses them.
           </p></dd>
 <dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
 <dd><p>
             Indicates that the DNS record containing the key should have
             the specified class.  If not specified, class IN is used.
           </p></dd>
 <dt><span class="term">-f <em class="replaceable"><code>flag</code></em></span></dt>
 <dd><p>
             Set the specified flag in the flag field of the KEY/DNSKEY record.
             The only recognized flags are KSK (Key Signing Key) and REVOKE.
           </p></dd>
 <dt><span class="term">-G</span></dt>
 <dd><p>
             Generate a key, but do not publish it or sign with it.  This
             option is incompatible with -P and -A.
           </p></dd>
 <dt><span class="term">-h</span></dt>
 <dd><p>
             Prints a short summary of the options and arguments to
             <span><strong class="command">dnssec-keyfromlabel</strong></span>.
           </p></dd>
 <dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
 <dd><p>
             Sets the directory in which the key files are to be written.
           </p></dd>
 <dt><span class="term">-k</span></dt>
 <dd><p>
             Generate KEY records rather than DNSKEY records.
           </p></dd>
 <dt><span class="term">-L <em class="replaceable"><code>ttl</code></em></span></dt>
 <dd><p>
             Sets the default TTL to use for this key when it is converted
             into a DNSKEY RR.  If the key is imported into a zone,
             this is the TTL that will be used for it, unless there was
             already a DNSKEY RRset in place, in which case the existing TTL
             would take precedence.  Setting the default TTL to
             <code class="literal">0</code> or <code class="literal">none</code> removes it.
           </p></dd>
 <dt><span class="term">-p <em class="replaceable"><code>protocol</code></em></span></dt>
 <dd><p>
             Sets the protocol value for the key.  The protocol
             is a number between 0 and 255.  The default is 3 (DNSSEC).
             Other possible values for this argument are listed in
             RFC 2535 and its successors.
           </p></dd>
 <dt><span class="term">-S <em class="replaceable"><code>key</code></em></span></dt>
 <dd><p>
             Generate a key as an explicit successor to an existing key.
 	    The name, algorithm, size, and type of the key will be set
 	    to match the predecessor. The activation date of the new
 	    key will be set to the inactivation date of the existing
 	    one. The publication date will be set to the activation
 	    date minus the prepublication interval, which defaults to
 	    30 days.
           </p></dd>
 <dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
 <dd><p>
             Indicates the use of the key.  <code class="option">type</code> must be
             one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF.  The default
             is AUTHCONF.  AUTH refers to the ability to authenticate
             data, and CONF the ability to encrypt data.
           </p></dd>
 <dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
 <dd><p>
             Sets the debugging level.
           </p></dd>
 <dt><span class="term">-V</span></dt>
 <dd><p>
 	    Prints version information.
 	  </p></dd>
 <dt><span class="term">-y</span></dt>
 <dd><p>
             Allows DNSSEC key files to be generated even if the key ID
 	    would collide with that of an existing key, in the event of
 	    either key being revoked.  (This is only safe to use if you
             are sure you won't be using RFC 5011 trust anchor maintenance
             with either of the keys involved.)
           </p></dd>
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2620021"></a><h2>TIMING OPTIONS</h2>
+<a name="id2670258"></a><h2>TIMING OPTIONS</h2>
 <p>
       Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
       If the argument begins with a '+' or '-', it is interpreted as
       an offset from the present time.  For convenience, if such an offset
       is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi',
       then the offset is computed in years (defined as 365 24-hour days,
       ignoring leap years), months (defined as 30 24-hour days), weeks,
       days, hours, or minutes, respectively.  Without a suffix, the offset
       is computed in seconds.  To explicitly prevent a date from being
       set, use 'none' or 'never'.
     </p>
 <div class="variablelist"><dl>
 <dt><span class="term">-P <em class="replaceable"><code>date/offset</code></em></span></dt>
 <dd><p>
             Sets the date on which a key is to be published to the zone.
             After that date, the key will be included in the zone but will
             not be used to sign it.  If not set, and if the -G option has
             not been used, the default is "now".
           </p></dd>
 <dt><span class="term">-A <em class="replaceable"><code>date/offset</code></em></span></dt>
 <dd><p>
             Sets the date on which the key is to be activated.  After that
             date, the key will be included in the zone and used to sign
             it.  If not set, and if the -G option has not been used, the
             default is "now".
           </p></dd>
 <dt><span class="term">-R <em class="replaceable"><code>date/offset</code></em></span></dt>
 <dd><p>
             Sets the date on which the key is to be revoked.  After that
             date, the key will be flagged as revoked.  It will be included
             in the zone and will be used to sign it.
           </p></dd>
 <dt><span class="term">-I <em class="replaceable"><code>date/offset</code></em></span></dt>
 <dd><p>
             Sets the date on which the key is to be retired.  After that
             date, the key will still be included in the zone, but it
             will not be used to sign it.
           </p></dd>
 <dt><span class="term">-D <em class="replaceable"><code>date/offset</code></em></span></dt>
 <dd><p>
             Sets the date on which the key is to be deleted.  After that
             date, the key will no longer be included in the zone.  (It
             may remain in the key repository, however.)
           </p></dd>
 <dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt>
 <dd>
 <p>
             Sets the prepublication interval for a key.  If set, then
             the publication and activation dates must be separated by at least
             this much time.  If the activation date is specified but the
             publication date isn't, then the publication date will default
             to this much time before the activation date; conversely, if
             the publication date is specified but activation date isn't,
             then activation will be set to this much time after publication.
           </p>
 <p>
             If the key is being created as an explicit successor to another
             key, then the default prepublication interval is 30 days; 
             otherwise it is zero.
           </p>
 <p>
             As with date offsets, if the argument is followed by one of
             the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the
             interval is measured in years, months, weeks, days, hours,
             or minutes, respectively.  Without a suffix, the interval is
             measured in seconds.
           </p>
 </dd>
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2668339"></a><h2>GENERATED KEY FILES</h2>
+<a name="id2670379"></a><h2>GENERATED KEY FILES</h2>
 <p>
       When <span><strong class="command">dnssec-keyfromlabel</strong></span> completes
       successfully,
       it prints a string of the form <code class="filename">Knnnn.+aaa+iiiii</code>
       to the standard output.  This is an identification string for
       the key files it has generated.
     </p>
 <div class="itemizedlist"><ul type="disc">
 <li><p><code class="filename">nnnn</code> is the key name.
         </p></li>
 <li><p><code class="filename">aaa</code> is the numeric representation
           of the algorithm.
         </p></li>
 <li><p><code class="filename">iiiii</code> is the key identifier (or
           footprint).
         </p></li>
 </ul></div>
 <p><span><strong class="command">dnssec-keyfromlabel</strong></span> 
       creates two files, with names based
       on the printed string.  <code class="filename">Knnnn.+aaa+iiiii.key</code>
       contains the public key, and
       <code class="filename">Knnnn.+aaa+iiiii.private</code> contains the
       private key.
     </p>
 <p>
       The <code class="filename">.key</code> file contains a DNS KEY record
       that
       can be inserted into a zone file (directly or with a $INCLUDE
       statement).
     </p>
 <p>
       The <code class="filename">.private</code> file contains
       algorithm-specific
       fields.  For obvious security reasons, this file does not have
       general read permission.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2668433"></a><h2>SEE ALSO</h2>
+<a name="id2670541"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
       <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
       <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
       <em class="citetitle">RFC 4034</em>.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2668466"></a><h2>AUTHOR</h2>
+<a name="id2670574"></a><h2>AUTHOR</h2>
 <p><span class="corpauthor">Internet Systems Consortium</span>
     </p>
 </div>
 </div>
 <div class="navfooter">
 <hr>
 <table width="100%" summary="Navigation footer">
 <tr>
 <td width="40%" align="left">
 <a accesskey="p" href="man.dnssec-dsfromkey.html">Prev</a> </td>
 <td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
 <td width="40%" align="right"> <a accesskey="n" href="man.dnssec-keygen.html">Next</a>
 </td>
 </tr>
 <tr>
 <td width="40%" align="left" valign="top">
 <span class="application">dnssec-dsfromkey</span> </td>
 <td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
 <td width="40%" align="right" valign="top"> <span class="application">dnssec-keygen</span>
 </td>
 </tr>
 </table>
 </div>
-<p style="text-align: center;">BIND 9.9.7 (Extended Support Version)</p>
+<p style="text-align: center;">BIND 9.9.7-P2 (Extended Support Version)</p>
 </body>
 </html>
Index: stable/9/contrib/bind9/doc/arm/man.dnssec-keygen.html
===================================================================
--- stable/9/contrib/bind9/doc/arm/man.dnssec-keygen.html	(revision 286123)
+++ stable/9/contrib/bind9/doc/arm/man.dnssec-keygen.html	(revision 286124)
@@ -1,459 +1,459 @@
 <!--
  - Copyright (C) 2004-2015 Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000-2003 Internet Software Consortium.
  - 
  - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
  - copyright notice and this permission notice appear in all copies.
  - 
  - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
  - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
  - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
  - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
  - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 <!-- $Id$ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>dnssec-keygen</title>
 <meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
 <link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
 <link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
 <link rel="prev" href="man.dnssec-keyfromlabel.html" title="dnssec-keyfromlabel">
 <link rel="next" href="man.dnssec-revoke.html" title="dnssec-revoke">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
 <div class="navheader">
 <table width="100%" summary="Navigation header">
 <tr><th colspan="3" align="center"><span class="application">dnssec-keygen</span></th></tr>
 <tr>
 <td width="20%" align="left">
 <a accesskey="p" href="man.dnssec-keyfromlabel.html">Prev</a> </td>
 <th width="60%" align="center">Manual pages</th>
 <td width="20%" align="right"> <a accesskey="n" href="man.dnssec-revoke.html">Next</a>
 </td>
 </tr>
 </table>
 <hr>
 </div>
 <div class="refentry" lang="en">
 <a name="man.dnssec-keygen"></a><div class="titlepage"></div>
 <div class="refnamediv">
 <h2>Name</h2>
 <p><span class="application">dnssec-keygen</span> &#8212; DNSSEC key generation tool</p>
 </div>
 <div class="refsynopsisdiv">
 <h2>Synopsis</h2>
 <div class="cmdsynopsis"><p><code class="command">dnssec-keygen</code>  [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-b <em class="replaceable"><code>keysize</code></em></code>] [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>] [<code class="option">-3</code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-C</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-G</code>] [<code class="option">-g <em class="replaceable"><code>generator</code></em></code>] [<code class="option">-h</code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-k</code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-q</code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-S <em class="replaceable"><code>key</code></em></code>] [<code class="option">-s <em class="replaceable"><code>strength</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-V</code>] [<code class="option">-z</code>] {name}</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2618705"></a><h2>DESCRIPTION</h2>
+<a name="id2618014"></a><h2>DESCRIPTION</h2>
 <p><span><strong class="command">dnssec-keygen</strong></span>
       generates keys for DNSSEC (Secure DNS), as defined in RFC 2535
       and RFC 4034.  It can also generate keys for use with
       TSIG (Transaction Signatures) as defined in RFC 2845, or TKEY
       (Transaction Key) as defined in RFC 2930.
     </p>
 <p>
       The <code class="option">name</code> of the key is specified on the command
       line.  For DNSSEC keys, this must match the name of the zone for
       which the key is being generated.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2618725"></a><h2>OPTIONS</h2>
+<a name="id2618035"></a><h2>OPTIONS</h2>
 <div class="variablelist"><dl>
 <dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
 <dd>
 <p>
             Selects the cryptographic algorithm.  For DNSSEC keys, the value
             of <code class="option">algorithm</code> must be one of RSAMD5, RSASHA1,
 	    DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST,
 	    ECDSAP256SHA256 or ECDSAP384SHA384.
 	    For TSIG/TKEY, the value must
             be DH (Diffie Hellman), HMAC-MD5, HMAC-SHA1, HMAC-SHA224,
             HMAC-SHA256, HMAC-SHA384, or HMAC-SHA512.  These values are
             case insensitive.
           </p>
 <p>
             If no algorithm is specified, then RSASHA1 will be used by
             default, unless the <code class="option">-3</code> option is specified,
             in which case NSEC3RSASHA1 will be used instead.  (If
             <code class="option">-3</code> is used and an algorithm is specified,
             that algorithm will be checked for compatibility with NSEC3.)
           </p>
 <p>
             Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
             algorithm, and DSA is recommended.  For TSIG, HMAC-MD5 is
 	    mandatory.
           </p>
 <p>
             Note 2: DH, HMAC-MD5, and HMAC-SHA1 through HMAC-SHA512
             automatically set the -T KEY option.
           </p>
 </dd>
 <dt><span class="term">-b <em class="replaceable"><code>keysize</code></em></span></dt>
 <dd>
 <p>
             Specifies the number of bits in the key.  The choice of key
             size depends on the algorithm used.  RSA keys must be
             between 512 and 2048 bits.  Diffie Hellman keys must be between
             128 and 4096 bits.  DSA keys must be between 512 and 1024
             bits and an exact multiple of 64.  HMAC keys must be
             between 1 and 512 bits. Elliptic curve algorithms don't need
             this parameter.
           </p>
 <p>
             The key size does not need to be specified if using a default
             algorithm.  The default key size is 1024 bits for zone signing
             keys (ZSK's) and 2048 bits for key signing keys (KSK's,
             generated with <code class="option">-f KSK</code>).  However, if an
             algorithm is explicitly specified with the <code class="option">-a</code>,
             then there is no default key size, and the <code class="option">-b</code>
             must be used.
           </p>
 </dd>
 <dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt>
 <dd><p>
             Specifies the owner type of the key.  The value of
             <code class="option">nametype</code> must either be ZONE (for a DNSSEC
             zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
             a host (KEY)),
             USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
             These values are case insensitive.  Defaults to ZONE for DNSKEY
 	    generation.
           </p></dd>
 <dt><span class="term">-3</span></dt>
 <dd><p>
 	    Use an NSEC3-capable algorithm to generate a DNSSEC key.
             If this option is used and no algorithm is explicitly
             set on the command line, NSEC3RSASHA1 will be used by
             default. Note that RSASHA256, RSASHA512, ECCGOST,
 	    ECDSAP256SHA256 and ECDSAP384SHA384 algorithms
 	    are NSEC3-capable.
           </p></dd>
 <dt><span class="term">-C</span></dt>
 <dd><p>
 	    Compatibility mode:  generates an old-style key, without
 	    any metadata.  By default, <span><strong class="command">dnssec-keygen</strong></span>
 	    will include the key's creation date in the metadata stored
 	    with the private key, and other dates may be set there as well
 	    (publication date, activation date, etc).  Keys that include
 	    this data may be incompatible with older versions of BIND; the
 	    <code class="option">-C</code> option suppresses them.
           </p></dd>
 <dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
 <dd><p>
             Indicates that the DNS record containing the key should have
             the specified class.  If not specified, class IN is used.
           </p></dd>
 <dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
 <dd><p>
             Uses a crypto hardware (OpenSSL engine) for random number
             and, when supported, key generation. When compiled with PKCS#11
             support it defaults to pkcs11; the empty name resets it to
             no engine.
           </p></dd>
 <dt><span class="term">-f <em class="replaceable"><code>flag</code></em></span></dt>
 <dd><p>
             Set the specified flag in the flag field of the KEY/DNSKEY record.
             The only recognized flags are KSK (Key Signing Key) and REVOKE.
           </p></dd>
 <dt><span class="term">-G</span></dt>
 <dd><p>
             Generate a key, but do not publish it or sign with it.  This
             option is incompatible with -P and -A.
           </p></dd>
 <dt><span class="term">-g <em class="replaceable"><code>generator</code></em></span></dt>
 <dd><p>
             If generating a Diffie Hellman key, use this generator.
             Allowed values are 2 and 5.  If no generator
             is specified, a known prime from RFC 2539 will be used
             if possible; otherwise the default is 2.
           </p></dd>
 <dt><span class="term">-h</span></dt>
 <dd><p>
             Prints a short summary of the options and arguments to
             <span><strong class="command">dnssec-keygen</strong></span>.
           </p></dd>
 <dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
 <dd><p>
             Sets the directory in which the key files are to be written.
           </p></dd>
 <dt><span class="term">-k</span></dt>
 <dd><p>
             Deprecated in favor of -T KEY.
           </p></dd>
 <dt><span class="term">-L <em class="replaceable"><code>ttl</code></em></span></dt>
 <dd><p>
             Sets the default TTL to use for this key when it is converted
             into a DNSKEY RR.  If the key is imported into a zone,
             this is the TTL that will be used for it, unless there was
             already a DNSKEY RRset in place, in which case the existing TTL
             would take precedence.  If this value is not set and there
             is no existing DNSKEY RRset, the TTL will default to the
             SOA TTL. Setting the default TTL to <code class="literal">0</code>
             or <code class="literal">none</code> is the same as leaving it unset.
           </p></dd>
 <dt><span class="term">-p <em class="replaceable"><code>protocol</code></em></span></dt>
 <dd><p>
             Sets the protocol value for the generated key.  The protocol
             is a number between 0 and 255.  The default is 3 (DNSSEC).
             Other possible values for this argument are listed in
             RFC 2535 and its successors.
           </p></dd>
 <dt><span class="term">-q</span></dt>
 <dd><p>
             Quiet mode: Suppresses unnecessary output, including
             progress indication.  Without this option, when
             <span><strong class="command">dnssec-keygen</strong></span> is run interactively
             to generate an RSA or DSA key pair, it will print a string
             of symbols to <code class="filename">stderr</code> indicating the
             progress of the key generation.  A '.' indicates that a
             random number has been found which passed an initial
             sieve test; '+' means a number has passed a single
             round of the Miller-Rabin primality test; a space
             means that the number has passed all the tests and is
             a satisfactory key.
           </p></dd>
 <dt><span class="term">-r <em class="replaceable"><code>randomdev</code></em></span></dt>
 <dd><p>
             Specifies the source of randomness.  If the operating
             system does not provide a <code class="filename">/dev/random</code>
             or equivalent device, the default source of randomness
             is keyboard input.  <code class="filename">randomdev</code>
             specifies
             the name of a character device or file containing random
             data to be used instead of the default.  The special value
             <code class="filename">keyboard</code> indicates that keyboard
             input should be used.
           </p></dd>
 <dt><span class="term">-S <em class="replaceable"><code>key</code></em></span></dt>
 <dd><p>
             Create a new key which is an explicit successor to an
             existing key.  The name, algorithm, size, and type of the
             key will be set to match the existing key.  The activation
             date of the new key will be set to the inactivation date of
             the existing one.  The publication date will be set to the
             activation date minus the prepublication interval, which
             defaults to 30 days.
           </p></dd>
 <dt><span class="term">-s <em class="replaceable"><code>strength</code></em></span></dt>
 <dd><p>
             Specifies the strength value of the key.  The strength is
             a number between 0 and 15, and currently has no defined
             purpose in DNSSEC.
           </p></dd>
 <dt><span class="term">-T <em class="replaceable"><code>rrtype</code></em></span></dt>
 <dd>
 <p>
             Specifies the resource record type to use for the key.
             <code class="option">rrtype</code> must be either DNSKEY or KEY.  The
             default is DNSKEY when using a DNSSEC algorithm, but it can be
             overridden to KEY for use with SIG(0).
           </p>
 <p>
           </p>
 <p>
             Using any TSIG algorithm (HMAC-* or DH) forces this option
             to KEY.
           </p>
 </dd>
 <dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
 <dd><p>
             Indicates the use of the key.  <code class="option">type</code> must be
             one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF.  The default
             is AUTHCONF.  AUTH refers to the ability to authenticate
             data, and CONF the ability to encrypt data.
           </p></dd>
 <dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
 <dd><p>
             Sets the debugging level.
           </p></dd>
 <dt><span class="term">-V</span></dt>
 <dd><p>
 	    Prints version information.
 	  </p></dd>
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2668968"></a><h2>TIMING OPTIONS</h2>
+<a name="id2671760"></a><h2>TIMING OPTIONS</h2>
 <p>
       Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
       If the argument begins with a '+' or '-', it is interpreted as
       an offset from the present time.  For convenience, if such an offset
       is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi',
       then the offset is computed in years (defined as 365 24-hour days,
       ignoring leap years), months (defined as 30 24-hour days), weeks,
       days, hours, or minutes, respectively.  Without a suffix, the offset
       is computed in seconds.  To explicitly prevent a date from being
       set, use 'none' or 'never'.
     </p>
 <div class="variablelist"><dl>
 <dt><span class="term">-P <em class="replaceable"><code>date/offset</code></em></span></dt>
 <dd><p>
             Sets the date on which a key is to be published to the zone.
             After that date, the key will be included in the zone but will
             not be used to sign it.  If not set, and if the -G option has
             not been used, the default is "now".
           </p></dd>
 <dt><span class="term">-A <em class="replaceable"><code>date/offset</code></em></span></dt>
 <dd><p>
             Sets the date on which the key is to be activated.  After that
             date, the key will be included in the zone and used to sign
             it.  If not set, and if the -G option has not been used, the
             default is "now".  If set, if and -P is not set, then
             the publication date will be set to the activation date
             minus the prepublication interval.
           </p></dd>
 <dt><span class="term">-R <em class="replaceable"><code>date/offset</code></em></span></dt>
 <dd><p>
             Sets the date on which the key is to be revoked.  After that
             date, the key will be flagged as revoked.  It will be included
             in the zone and will be used to sign it.
           </p></dd>
 <dt><span class="term">-I <em class="replaceable"><code>date/offset</code></em></span></dt>
 <dd><p>
             Sets the date on which the key is to be retired.  After that
             date, the key will still be included in the zone, but it
             will not be used to sign it.
           </p></dd>
 <dt><span class="term">-D <em class="replaceable"><code>date/offset</code></em></span></dt>
 <dd><p>
             Sets the date on which the key is to be deleted.  After that
             date, the key will no longer be included in the zone.  (It
             may remain in the key repository, however.)
           </p></dd>
 <dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt>
 <dd>
 <p>
             Sets the prepublication interval for a key.  If set, then
             the publication and activation dates must be separated by at least
             this much time.  If the activation date is specified but the
             publication date isn't, then the publication date will default
             to this much time before the activation date; conversely, if
             the publication date is specified but activation date isn't,
             then activation will be set to this much time after publication.
           </p>
 <p>
             If the key is being created as an explicit successor to another
             key, then the default prepublication interval is 30 days; 
             otherwise it is zero.
           </p>
 <p>
             As with date offsets, if the argument is followed by one of
             the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the
             interval is measured in years, months, weeks, days, hours,
             or minutes, respectively.  Without a suffix, the interval is
             measured in seconds.
           </p>
 </dd>
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2669226"></a><h2>GENERATED KEYS</h2>
+<a name="id2671881"></a><h2>GENERATED KEYS</h2>
 <p>
       When <span><strong class="command">dnssec-keygen</strong></span> completes
       successfully,
       it prints a string of the form <code class="filename">Knnnn.+aaa+iiiii</code>
       to the standard output.  This is an identification string for
       the key it has generated.
     </p>
 <div class="itemizedlist"><ul type="disc">
 <li><p><code class="filename">nnnn</code> is the key name.
         </p></li>
 <li><p><code class="filename">aaa</code> is the numeric representation
           of the
           algorithm.
         </p></li>
 <li><p><code class="filename">iiiii</code> is the key identifier (or
           footprint).
         </p></li>
 </ul></div>
 <p><span><strong class="command">dnssec-keygen</strong></span> 
       creates two files, with names based
       on the printed string.  <code class="filename">Knnnn.+aaa+iiiii.key</code>
       contains the public key, and
       <code class="filename">Knnnn.+aaa+iiiii.private</code> contains the
       private
       key.
     </p>
 <p>
       The <code class="filename">.key</code> file contains a DNS KEY record
       that
       can be inserted into a zone file (directly or with a $INCLUDE
       statement).
     </p>
 <p>
       The <code class="filename">.private</code> file contains
       algorithm-specific
       fields.  For obvious security reasons, this file does not have
       general read permission.
     </p>
 <p>
       Both <code class="filename">.key</code> and <code class="filename">.private</code>
       files are generated for symmetric encryption algorithms such as
       HMAC-MD5, even though the public and private key are equivalent.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2669334"></a><h2>EXAMPLE</h2>
+<a name="id2672057"></a><h2>EXAMPLE</h2>
 <p>
       To generate a 768-bit DSA key for the domain
       <strong class="userinput"><code>example.com</code></strong>, the following command would be
       issued:
     </p>
 <p><strong class="userinput"><code>dnssec-keygen -a DSA -b 768 -n ZONE example.com</code></strong>
     </p>
 <p>
       The command would print a string of the form:
     </p>
 <p><strong class="userinput"><code>Kexample.com.+003+26160</code></strong>
     </p>
 <p>
       In this example, <span><strong class="command">dnssec-keygen</strong></span> creates
       the files <code class="filename">Kexample.com.+003+26160.key</code>
       and
       <code class="filename">Kexample.com.+003+26160.private</code>.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2669459"></a><h2>SEE ALSO</h2>
+<a name="id2672114"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
       <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
       <em class="citetitle">RFC 2539</em>,
       <em class="citetitle">RFC 2845</em>,
       <em class="citetitle">RFC 4034</em>.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2669490"></a><h2>AUTHOR</h2>
+<a name="id2672145"></a><h2>AUTHOR</h2>
 <p><span class="corpauthor">Internet Systems Consortium</span>
     </p>
 </div>
 </div>
 <div class="navfooter">
 <hr>
 <table width="100%" summary="Navigation footer">
 <tr>
 <td width="40%" align="left">
 <a accesskey="p" href="man.dnssec-keyfromlabel.html">Prev</a> </td>
 <td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
 <td width="40%" align="right"> <a accesskey="n" href="man.dnssec-revoke.html">Next</a>
 </td>
 </tr>
 <tr>
 <td width="40%" align="left" valign="top">
 <span class="application">dnssec-keyfromlabel</span> </td>
 <td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
 <td width="40%" align="right" valign="top"> <span class="application">dnssec-revoke</span>
 </td>
 </tr>
 </table>
 </div>
-<p style="text-align: center;">BIND 9.9.7 (Extended Support Version)</p>
+<p style="text-align: center;">BIND 9.9.7-P2 (Extended Support Version)</p>
 </body>
 </html>
Index: stable/9/contrib/bind9/doc/arm/man.dnssec-revoke.html
===================================================================
--- stable/9/contrib/bind9/doc/arm/man.dnssec-revoke.html	(revision 286123)
+++ stable/9/contrib/bind9/doc/arm/man.dnssec-revoke.html	(revision 286124)
@@ -1,136 +1,136 @@
 <!--
  - Copyright (C) 2004-2015 Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000-2003 Internet Software Consortium.
  - 
  - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
  - copyright notice and this permission notice appear in all copies.
  - 
  - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
  - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
  - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
  - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
  - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 <!-- $Id$ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>dnssec-revoke</title>
 <meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
 <link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
 <link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
 <link rel="prev" href="man.dnssec-keygen.html" title="dnssec-keygen">
 <link rel="next" href="man.dnssec-settime.html" title="dnssec-settime">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
 <div class="navheader">
 <table width="100%" summary="Navigation header">
 <tr><th colspan="3" align="center"><span class="application">dnssec-revoke</span></th></tr>
 <tr>
 <td width="20%" align="left">
 <a accesskey="p" href="man.dnssec-keygen.html">Prev</a> </td>
 <th width="60%" align="center">Manual pages</th>
 <td width="20%" align="right"> <a accesskey="n" href="man.dnssec-settime.html">Next</a>
 </td>
 </tr>
 </table>
 <hr>
 </div>
 <div class="refentry" lang="en">
 <a name="man.dnssec-revoke"></a><div class="titlepage"></div>
 <div class="refnamediv">
 <h2>Name</h2>
 <p><span class="application">dnssec-revoke</span> &#8212; Set the REVOKED bit on a DNSSEC key</p>
 </div>
 <div class="refsynopsisdiv">
 <h2>Synopsis</h2>
 <div class="cmdsynopsis"><p><code class="command">dnssec-revoke</code>  [<code class="option">-hr</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-V</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-f</code>] [<code class="option">-R</code>] {keyfile}</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2619155"></a><h2>DESCRIPTION</h2>
+<a name="id2618533"></a><h2>DESCRIPTION</h2>
 <p><span><strong class="command">dnssec-revoke</strong></span>
       reads a DNSSEC key file, sets the REVOKED bit on the key as defined
       in RFC 5011, and creates a new pair of key files containing the
       now-revoked key.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2619169"></a><h2>OPTIONS</h2>
+<a name="id2618547"></a><h2>OPTIONS</h2>
 <div class="variablelist"><dl>
 <dt><span class="term">-h</span></dt>
 <dd><p>
 	    Emit usage message and exit.
 	  </p></dd>
 <dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
 <dd><p>
             Sets the directory in which the key files are to reside.
           </p></dd>
 <dt><span class="term">-r</span></dt>
 <dd><p>
 	    After writing the new keyset files remove the original keyset
 	    files.
 	  </p></dd>
 <dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
 <dd><p>
             Sets the debugging level.
           </p></dd>
 <dt><span class="term">-V</span></dt>
 <dd><p>
 	    Prints version information.
 	  </p></dd>
 <dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
 <dd><p>
             Use the given OpenSSL engine. When compiled with PKCS#11 support
             it defaults to pkcs11; the empty name resets it to no engine.
           </p></dd>
 <dt><span class="term">-f</span></dt>
 <dd><p>
             Force overwrite: Causes <span><strong class="command">dnssec-revoke</strong></span> to
             write the new key pair even if a file already exists matching
             the algorithm and key ID of the revoked key.
           </p></dd>
 <dt><span class="term">-R</span></dt>
 <dd><p>
 	    Print the key tag of the key with the REVOKE bit set but do
 	    not revoke the key.
           </p></dd>
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2619303"></a><h2>SEE ALSO</h2>
+<a name="id2618681"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
       <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
       <em class="citetitle">RFC 5011</em>.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2619396"></a><h2>AUTHOR</h2>
+<a name="id2618706"></a><h2>AUTHOR</h2>
 <p><span class="corpauthor">Internet Systems Consortium</span>
     </p>
 </div>
 </div>
 <div class="navfooter">
 <hr>
 <table width="100%" summary="Navigation footer">
 <tr>
 <td width="40%" align="left">
 <a accesskey="p" href="man.dnssec-keygen.html">Prev</a> </td>
 <td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
 <td width="40%" align="right"> <a accesskey="n" href="man.dnssec-settime.html">Next</a>
 </td>
 </tr>
 <tr>
 <td width="40%" align="left" valign="top">
 <span class="application">dnssec-keygen</span> </td>
 <td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
 <td width="40%" align="right" valign="top"> <span class="application">dnssec-settime</span>
 </td>
 </tr>
 </table>
 </div>
-<p style="text-align: center;">BIND 9.9.7 (Extended Support Version)</p>
+<p style="text-align: center;">BIND 9.9.7-P2 (Extended Support Version)</p>
 </body>
 </html>
Index: stable/9/contrib/bind9/doc/arm/man.dnssec-settime.html
===================================================================
--- stable/9/contrib/bind9/doc/arm/man.dnssec-settime.html	(revision 286123)
+++ stable/9/contrib/bind9/doc/arm/man.dnssec-settime.html	(revision 286124)
@@ -1,266 +1,266 @@
 <!--
  - Copyright (C) 2004-2015 Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000-2003 Internet Software Consortium.
  - 
  - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
  - copyright notice and this permission notice appear in all copies.
  - 
  - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
  - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
  - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
  - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
  - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 <!-- $Id$ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>dnssec-settime</title>
 <meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
 <link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
 <link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
 <link rel="prev" href="man.dnssec-revoke.html" title="dnssec-revoke">
 <link rel="next" href="man.dnssec-signzone.html" title="dnssec-signzone">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
 <div class="navheader">
 <table width="100%" summary="Navigation header">
 <tr><th colspan="3" align="center"><span class="application">dnssec-settime</span></th></tr>
 <tr>
 <td width="20%" align="left">
 <a accesskey="p" href="man.dnssec-revoke.html">Prev</a> </td>
 <th width="60%" align="center">Manual pages</th>
 <td width="20%" align="right"> <a accesskey="n" href="man.dnssec-signzone.html">Next</a>
 </td>
 </tr>
 </table>
 <hr>
 </div>
 <div class="refentry" lang="en">
 <a name="man.dnssec-settime"></a><div class="titlepage"></div>
 <div class="refnamediv">
 <h2>Name</h2>
 <p><span class="application">dnssec-settime</span> &#8212; Set the key timing metadata for a DNSSEC key</p>
 </div>
 <div class="refsynopsisdiv">
 <h2>Synopsis</h2>
 <div class="cmdsynopsis"><p><code class="command">dnssec-settime</code>  [<code class="option">-f</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-h</code>] [<code class="option">-V</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] {keyfile}</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2619582"></a><h2>DESCRIPTION</h2>
+<a name="id2619302"></a><h2>DESCRIPTION</h2>
 <p><span><strong class="command">dnssec-settime</strong></span>
       reads a DNSSEC private key file and sets the key timing metadata
       as specified by the <code class="option">-P</code>, <code class="option">-A</code>,
       <code class="option">-R</code>, <code class="option">-I</code>, and <code class="option">-D</code>
       options.  The metadata can then be used by
       <span><strong class="command">dnssec-signzone</strong></span> or other signing software to
       determine when a key is to be published, whether it should be
       used for signing a zone, etc.
     </p>
 <p>
       If none of these options is set on the command line,
       then <span><strong class="command">dnssec-settime</strong></span> simply prints the key timing
       metadata already stored in the key.
     </p>
 <p>
       When key metadata fields are changed, both files of a key
       pair (<code class="filename">Knnnn.+aaa+iiiii.key</code> and
       <code class="filename">Knnnn.+aaa+iiiii.private</code>) are regenerated.
       Metadata fields are stored in the private file.  A human-readable
       description of the metadata is also placed in comments in the key
       file.  The private file's permissions are always set to be
       inaccessible to anyone other than the owner (mode 0600).
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2619641"></a><h2>OPTIONS</h2>
+<a name="id2619361"></a><h2>OPTIONS</h2>
 <div class="variablelist"><dl>
 <dt><span class="term">-f</span></dt>
 <dd><p>
 	    Force an update of an old-format key with no metadata fields.
             Without this option, <span><strong class="command">dnssec-settime</strong></span> will
             fail when attempting to update a legacy key.  With this option,
             the key will be recreated in the new format, but with the
             original key data retained.  The key's creation date will be
             set to the present time.  If no other values are specified, 
             then the key's publication and activation dates will also 
             be set to the present time.
 	  </p></dd>
 <dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
 <dd><p>
             Sets the directory in which the key files are to reside.
           </p></dd>
 <dt><span class="term">-L <em class="replaceable"><code>ttl</code></em></span></dt>
 <dd><p>
             Sets the default TTL to use for this key when it is converted
             into a DNSKEY RR.  If the key is imported into a zone,
             this is the TTL that will be used for it, unless there was
             already a DNSKEY RRset in place, in which case the existing TTL
             would take precedence.  If this value is not set and there
             is no existing DNSKEY RRset, the TTL will default to the
             SOA TTL. Setting the default TTL to <code class="literal">0</code>
             or <code class="literal">none</code> removes it from the key.
           </p></dd>
 <dt><span class="term">-h</span></dt>
 <dd><p>
 	    Emit usage message and exit.
 	  </p></dd>
 <dt><span class="term">-V</span></dt>
 <dd><p>
 	    Prints version information.
 	  </p></dd>
 <dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
 <dd><p>
             Sets the debugging level.
           </p></dd>
 <dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
 <dd><p>
             Use the given OpenSSL engine. When compiled with PKCS#11 support
             it defaults to pkcs11; the empty name resets it to no engine.
           </p></dd>
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2620324"></a><h2>TIMING OPTIONS</h2>
+<a name="id2619497"></a><h2>TIMING OPTIONS</h2>
 <p>
       Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
       If the argument begins with a '+' or '-', it is interpreted as
       an offset from the present time.  For convenience, if such an offset
       is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi',
       then the offset is computed in years (defined as 365 24-hour days,
       ignoring leap years), months (defined as 30 24-hour days), weeks,
       days, hours, or minutes, respectively.  Without a suffix, the offset
       is computed in seconds.  To unset a date, use 'none' or 'never'.
     </p>
 <div class="variablelist"><dl>
 <dt><span class="term">-P <em class="replaceable"><code>date/offset</code></em></span></dt>
 <dd><p>
             Sets the date on which a key is to be published to the zone.
             After that date, the key will be included in the zone but will
             not be used to sign it.
           </p></dd>
 <dt><span class="term">-A <em class="replaceable"><code>date/offset</code></em></span></dt>
 <dd><p>
             Sets the date on which the key is to be activated.  After that
             date, the key will be included in the zone and used to sign
             it.
           </p></dd>
 <dt><span class="term">-R <em class="replaceable"><code>date/offset</code></em></span></dt>
 <dd><p>
             Sets the date on which the key is to be revoked.  After that
             date, the key will be flagged as revoked.  It will be included
             in the zone and will be used to sign it.
           </p></dd>
 <dt><span class="term">-I <em class="replaceable"><code>date/offset</code></em></span></dt>
 <dd><p>
             Sets the date on which the key is to be retired.  After that
             date, the key will still be included in the zone, but it
             will not be used to sign it.
           </p></dd>
 <dt><span class="term">-D <em class="replaceable"><code>date/offset</code></em></span></dt>
 <dd><p>
             Sets the date on which the key is to be deleted.  After that
             date, the key will no longer be included in the zone.  (It
             may remain in the key repository, however.)
           </p></dd>
 <dt><span class="term">-S <em class="replaceable"><code>predecessor key</code></em></span></dt>
 <dd><p>
             Select a key for which the key being modified will be an
             explicit successor.  The name, algorithm, size, and type of the
             predecessor key must exactly match those of the key being
             modified.  The activation date of the successor key will be set
             to the inactivation date of the predecessor.  The publication
             date will be set to the activation date minus the prepublication
             interval, which defaults to 30 days.
           </p></dd>
 <dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt>
 <dd>
 <p>
             Sets the prepublication interval for a key.  If set, then
             the publication and activation dates must be separated by at least
             this much time.  If the activation date is specified but the
             publication date isn't, then the publication date will default
             to this much time before the activation date; conversely, if
             the publication date is specified but activation date isn't,
             then activation will be set to this much time after publication.
           </p>
 <p>
             If the key is being set to be an explicit successor to another
             key, then the default prepublication interval is 30 days; 
             otherwise it is zero.
           </p>
 <p>
             As with date offsets, if the argument is followed by one of
             the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the
             interval is measured in years, months, weeks, days, hours,
             or minutes, respectively.  Without a suffix, the interval is
             measured in seconds.
           </p>
 </dd>
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2620462"></a><h2>PRINTING OPTIONS</h2>
+<a name="id2619772"></a><h2>PRINTING OPTIONS</h2>
 <p>
       <span><strong class="command">dnssec-settime</strong></span> can also be used to print the
       timing metadata associated with a key.
     </p>
 <div class="variablelist"><dl>
 <dt><span class="term">-u</span></dt>
 <dd><p>
 	    Print times in UNIX epoch format.
 	  </p></dd>
 <dt><span class="term">-p <em class="replaceable"><code>C/P/A/R/I/D/all</code></em></span></dt>
 <dd><p>
 	    Print a specific metadata value or set of metadata values.
             The <code class="option">-p</code> option may be followed by one or more
             of the following letters to indicate which value or values to print:
             <code class="option">C</code> for the creation date,
             <code class="option">P</code> for the publication date,
             <code class="option">A</code> for the activation date,
             <code class="option">R</code> for the revocation date,
             <code class="option">I</code> for the inactivation date, or
             <code class="option">D</code> for the deletion date.
             To print all of the metadata, use <code class="option">-p all</code>.
 	  </p></dd>
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2622659"></a><h2>SEE ALSO</h2>
+<a name="id2619852"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
       <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
       <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
       <em class="citetitle">RFC 5011</em>.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2630952"></a><h2>AUTHOR</h2>
+<a name="id2619885"></a><h2>AUTHOR</h2>
 <p><span class="corpauthor">Internet Systems Consortium</span>
     </p>
 </div>
 </div>
 <div class="navfooter">
 <hr>
 <table width="100%" summary="Navigation footer">
 <tr>
 <td width="40%" align="left">
 <a accesskey="p" href="man.dnssec-revoke.html">Prev</a> </td>
 <td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
 <td width="40%" align="right"> <a accesskey="n" href="man.dnssec-signzone.html">Next</a>
 </td>
 </tr>
 <tr>
 <td width="40%" align="left" valign="top">
 <span class="application">dnssec-revoke</span> </td>
 <td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
 <td width="40%" align="right" valign="top"> <span class="application">dnssec-signzone</span>
 </td>
 </tr>
 </table>
 </div>
-<p style="text-align: center;">BIND 9.9.7 (Extended Support Version)</p>
+<p style="text-align: center;">BIND 9.9.7-P2 (Extended Support Version)</p>
 </body>
 </html>
Index: stable/9/contrib/bind9/doc/arm/man.dnssec-signzone.html
===================================================================
--- stable/9/contrib/bind9/doc/arm/man.dnssec-signzone.html	(revision 286123)
+++ stable/9/contrib/bind9/doc/arm/man.dnssec-signzone.html	(revision 286124)
@@ -1,549 +1,549 @@
 <!--
  - Copyright (C) 2004-2015 Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000-2003 Internet Software Consortium.
  - 
  - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
  - copyright notice and this permission notice appear in all copies.
  - 
  - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
  - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
  - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
  - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
  - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 <!-- $Id$ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>dnssec-signzone</title>
 <meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
 <link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
 <link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
 <link rel="prev" href="man.dnssec-settime.html" title="dnssec-settime">
 <link rel="next" href="man.dnssec-verify.html" title="dnssec-verify">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
 <div class="navheader">
 <table width="100%" summary="Navigation header">
 <tr><th colspan="3" align="center"><span class="application">dnssec-signzone</span></th></tr>
 <tr>
 <td width="20%" align="left">
 <a accesskey="p" href="man.dnssec-settime.html">Prev</a> </td>
 <th width="60%" align="center">Manual pages</th>
 <td width="20%" align="right"> <a accesskey="n" href="man.dnssec-verify.html">Next</a>
 </td>
 </tr>
 </table>
 <hr>
 </div>
 <div class="refentry" lang="en">
 <a name="man.dnssec-signzone"></a><div class="titlepage"></div>
 <div class="refnamediv">
 <h2>Name</h2>
 <p><span class="application">dnssec-signzone</span> &#8212; DNSSEC zone signing tool</p>
 </div>
 <div class="refsynopsisdiv">
 <h2>Synopsis</h2>
 <div class="cmdsynopsis"><p><code class="command">dnssec-signzone</code>  [<code class="option">-a</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-d <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-D</code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-e <em class="replaceable"><code>end-time</code></em></code>] [<code class="option">-f <em class="replaceable"><code>output-file</code></em></code>] [<code class="option">-g</code>] [<code class="option">-h</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-k <em class="replaceable"><code>key</code></em></code>] [<code class="option">-L <em class="replaceable"><code>serial</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>] [<code class="option">-j <em class="replaceable"><code>jitter</code></em></code>] [<code class="option">-N <em class="replaceable"><code>soa-serial-format</code></em></code>] [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>] [<code class="option">-O <em class="replaceable"><code>output-format</code></em></code>] [<code class="option">-P</code>] [<code class="option">-p</code>] [<code class="option">-R</code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-S</code>] [<code class="option">-s <em class="replaceable"><code>start-time</code></em></code>] [<code class="option">-T <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-t</code>] [<code class="option">-u</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-V</code>] [<code class="option">-X <em class="replaceable"><code>extended end-time</code></em></code>] [<code class="option">-x</code>] [<code class="option">-z</code>] [<code class="option">-3 <em class="replaceable"><code>salt</code></em></code>] [<code class="option">-H <em class="replaceable"><code>iterations</code></em></code>] [<code class="option">-A</code>] {zonefile} [key...]</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2634651"></a><h2>DESCRIPTION</h2>
+<a name="id2622083"></a><h2>DESCRIPTION</h2>
 <p><span><strong class="command">dnssec-signzone</strong></span>
       signs a zone.  It generates
       NSEC and RRSIG records and produces a signed version of the
       zone. The security status of delegations from the signed zone
       (that is, whether the child zones are secure or not) is
       determined by the presence or absence of a
       <code class="filename">keyset</code> file for each child zone.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2634670"></a><h2>OPTIONS</h2>
+<a name="id2622102"></a><h2>OPTIONS</h2>
 <div class="variablelist"><dl>
 <dt><span class="term">-a</span></dt>
 <dd><p>
             Verify all generated signatures.
           </p></dd>
 <dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
 <dd><p>
             Specifies the DNS class of the zone.
           </p></dd>
 <dt><span class="term">-C</span></dt>
 <dd><p>
             Compatibility mode: Generate a
             <code class="filename">keyset-<em class="replaceable"><code>zonename</code></em></code>
             file in addition to
             <code class="filename">dsset-<em class="replaceable"><code>zonename</code></em></code>
             when signing a zone, for use by older versions of
             <span><strong class="command">dnssec-signzone</strong></span>.
           </p></dd>
 <dt><span class="term">-d <em class="replaceable"><code>directory</code></em></span></dt>
 <dd><p>
             Look for <code class="filename">dsset-</code> or
             <code class="filename">keyset-</code> files in <code class="option">directory</code>.
           </p></dd>
 <dt><span class="term">-D</span></dt>
 <dd><p>
 	    Output only those record types automatically managed by
 	    <span><strong class="command">dnssec-signzone</strong></span>, i.e. RRSIG, NSEC,
 	    NSEC3 and NSEC3PARAM records. If smart signing
 	    (<code class="option">-S</code>) is used, DNSKEY records are also
 	    included. The resulting file can be included in the original
 	    zone file with <span><strong class="command">$INCLUDE</strong></span>. This option
 	    cannot be combined with <code class="option">-O raw</code> or serial
 	    number updating.
           </p></dd>
 <dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
 <dd><p>
             Uses a crypto hardware (OpenSSL engine) for the crypto operations
             it supports, for instance signing with private keys from
             a secure key store. When compiled with PKCS#11 support
             it defaults to pkcs11; the empty name resets it to no engine.
           </p></dd>
 <dt><span class="term">-g</span></dt>
 <dd><p>
             Generate DS records for child zones from
             <code class="filename">dsset-</code> or <code class="filename">keyset-</code>
             file.  Existing DS records will be removed.
           </p></dd>
 <dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
 <dd><p>
             Key repository: Specify a directory to search for DNSSEC keys.
             If not specified, defaults to the current directory.
           </p></dd>
 <dt><span class="term">-k <em class="replaceable"><code>key</code></em></span></dt>
 <dd><p>
             Treat specified key as a key signing key ignoring any
             key flags.  This option may be specified multiple times.
           </p></dd>
 <dt><span class="term">-l <em class="replaceable"><code>domain</code></em></span></dt>
 <dd><p>
             Generate a DLV set in addition to the key (DNSKEY) and DS sets.
             The domain is appended to the name of the records.
           </p></dd>
 <dt><span class="term">-s <em class="replaceable"><code>start-time</code></em></span></dt>
 <dd><p>
             Specify the date and time when the generated RRSIG records
             become valid.  This can be either an absolute or relative
             time.  An absolute start time is indicated by a number
             in YYYYMMDDHHMMSS notation; 20000530144500 denotes
             14:45:00 UTC on May 30th, 2000.  A relative start time is
             indicated by +N, which is N seconds from the current time.
             If no <code class="option">start-time</code> is specified, the current
             time minus 1 hour (to allow for clock skew) is used.
           </p></dd>
 <dt><span class="term">-e <em class="replaceable"><code>end-time</code></em></span></dt>
 <dd><p>
             Specify the date and time when the generated RRSIG records
             expire.  As with <code class="option">start-time</code>, an absolute
             time is indicated in YYYYMMDDHHMMSS notation.  A time relative
             to the start time is indicated with +N, which is N seconds from
             the start time.  A time relative to the current time is
             indicated with now+N.  If no <code class="option">end-time</code> is
             specified, 30 days from the start time is used as a default.
             <code class="option">end-time</code> must be later than
             <code class="option">start-time</code>.
           </p></dd>
 <dt><span class="term">-X <em class="replaceable"><code>extended end-time</code></em></span></dt>
 <dd>
 <p>
             Specify the date and time when the generated RRSIG records
             for the DNSKEY RRset will expire.  This is to be used in cases
             when the DNSKEY signatures need to persist longer than
             signatures on other records; e.g., when the private component
             of the KSK is kept offline and the KSK signature is to be
             refreshed manually.
           </p>
 <p>
             As with <code class="option">start-time</code>, an absolute
             time is indicated in YYYYMMDDHHMMSS notation.  A time relative
             to the start time is indicated with +N, which is N seconds from
             the start time.  A time relative to the current time is
             indicated with now+N.  If no <code class="option">extended end-time</code> is
             specified, the value of <code class="option">end-time</code> is used as
             the default.  (<code class="option">end-time</code>, in turn, defaults to
             30 days from the start time.) <code class="option">extended end-time</code>
             must be later than <code class="option">start-time</code>.
           </p>
 </dd>
 <dt><span class="term">-f <em class="replaceable"><code>output-file</code></em></span></dt>
 <dd><p>
             The name of the output file containing the signed zone.  The
             default is to append <code class="filename">.signed</code> to
             the input filename.  If <code class="option">output-file</code> is
             set to <code class="literal">"-"</code>, then the signed zone is
             written to the standard output, with a default output
             format of "full".
           </p></dd>
 <dt><span class="term">-h</span></dt>
 <dd><p>
             Prints a short summary of the options and arguments to
             <span><strong class="command">dnssec-signzone</strong></span>.
           </p></dd>
 <dt><span class="term">-V</span></dt>
 <dd><p>
 	    Prints version information.
 	  </p></dd>
 <dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt>
 <dd>
 <p>
             When a previously-signed zone is passed as input, records
             may be resigned.  The <code class="option">interval</code> option
             specifies the cycle interval as an offset from the current
             time (in seconds).  If a RRSIG record expires after the
             cycle interval, it is retained.  Otherwise, it is considered
             to be expiring soon, and it will be replaced.
           </p>
 <p>
             The default cycle interval is one quarter of the difference
             between the signature end and start times.  So if neither
             <code class="option">end-time</code> or <code class="option">start-time</code>
             are specified, <span><strong class="command">dnssec-signzone</strong></span>
             generates
             signatures that are valid for 30 days, with a cycle
             interval of 7.5 days.  Therefore, if any existing RRSIG records
             are due to expire in less than 7.5 days, they would be
             replaced.
           </p>
 </dd>
 <dt><span class="term">-I <em class="replaceable"><code>input-format</code></em></span></dt>
 <dd><p>
             The format of the input zone file.
 	    Possible formats are <span><strong class="command">"text"</strong></span> (default)
 	    and <span><strong class="command">"raw"</strong></span>.
 	    This option is primarily intended to be used for dynamic
             signed zones so that the dumped zone file in a non-text
             format containing updates can be signed directly.
 	    The use of this option does not make much sense for
 	    non-dynamic zones.
           </p></dd>
 <dt><span class="term">-j <em class="replaceable"><code>jitter</code></em></span></dt>
 <dd>
 <p>
             When signing a zone with a fixed signature lifetime, all
             RRSIG records issued at the time of signing expires
             simultaneously.  If the zone is incrementally signed, i.e.
             a previously-signed zone is passed as input to the signer,
             all expired signatures have to be regenerated at about the
             same time.  The <code class="option">jitter</code> option specifies a
             jitter window that will be used to randomize the signature
             expire time, thus spreading incremental signature
             regeneration over time.
           </p>
 <p>
             Signature lifetime jitter also to some extent benefits
             validators and servers by spreading out cache expiration,
             i.e. if large numbers of RRSIGs don't expire at the same time
             from all caches there will be less congestion than if all
             validators need to refetch at mostly the same time.
           </p>
 </dd>
 <dt><span class="term">-L <em class="replaceable"><code>serial</code></em></span></dt>
 <dd><p>
             When writing a signed zone to 'raw' format, set the "source serial" 
             value in the header to the specified serial number.  (This is
             expected to be used primarily for testing purposes.)
           </p></dd>
 <dt><span class="term">-n <em class="replaceable"><code>ncpus</code></em></span></dt>
 <dd><p>
             Specifies the number of threads to use.  By default, one
             thread is started for each detected CPU.
           </p></dd>
 <dt><span class="term">-N <em class="replaceable"><code>soa-serial-format</code></em></span></dt>
 <dd>
 <p>
             The SOA serial number format of the signed zone.
 	    Possible formats are <span><strong class="command">"keep"</strong></span> (default),
             <span><strong class="command">"increment"</strong></span> and
 	    <span><strong class="command">"unixtime"</strong></span>.
           </p>
 <div class="variablelist"><dl>
 <dt><span class="term"><span><strong class="command">"keep"</strong></span></span></dt>
 <dd><p>Do not modify the SOA serial number.</p></dd>
 <dt><span class="term"><span><strong class="command">"increment"</strong></span></span></dt>
 <dd><p>Increment the SOA serial number using RFC 1982
                       arithmetics.</p></dd>
 <dt><span class="term"><span><strong class="command">"unixtime"</strong></span></span></dt>
 <dd><p>Set the SOA serial number to the number of seconds
 	        since epoch.</p></dd>
 </dl></div>
 </dd>
 <dt><span class="term">-o <em class="replaceable"><code>origin</code></em></span></dt>
 <dd><p>
             The zone origin.  If not specified, the name of the zone file
             is assumed to be the origin.
           </p></dd>
 <dt><span class="term">-O <em class="replaceable"><code>output-format</code></em></span></dt>
 <dd><p>
             The format of the output file containing the signed zone.
 	    Possible formats are <span><strong class="command">"text"</strong></span> (default)
 	    <span><strong class="command">"full"</strong></span>, which is text output in a
             format suitable for processing by external scripts,
             and <span><strong class="command">"raw"</strong></span> or <span><strong class="command">"raw=N"</strong></span>,
             which store the zone in a binary format for rapid loading
             by <span><strong class="command">named</strong></span>.  <span><strong class="command">"raw=N"</strong></span>
             specifies the format version of the raw zone file: if N
             is 0, the raw file can be read by any version of
             <span><strong class="command">named</strong></span>; if N is 1, the file can be
             read by release 9.9.0 or higher.  The default is 1.
           </p></dd>
 <dt><span class="term">-p</span></dt>
 <dd><p>
             Use pseudo-random data when signing the zone.  This is faster,
             but less secure, than using real random data.  This option
             may be useful when signing large zones or when the entropy
             source is limited.
           </p></dd>
 <dt><span class="term">-P</span></dt>
 <dd>
 <p>
 	    Disable post sign verification tests.
           </p>
 <p>
 	    The post sign verification test ensures that for each algorithm
 	    in use there is at least one non revoked self signed KSK key,
 	    that all revoked KSK keys are self signed, and that all records
 	    in the zone are signed by the algorithm.
 	    This option skips these tests.
           </p>
 </dd>
 <dt><span class="term">-Q</span></dt>
 <dd>
 <p>
 	    Remove signatures from keys that are no longer active.
           </p>
 <p>
             Normally, when a previously-signed zone is passed as input
             to the signer, and a DNSKEY record has been removed and
             replaced with a new one, signatures from the old key 
             that are still within their validity period are retained.
 	    This allows the zone to continue to validate with cached
 	    copies of the old DNSKEY RRset.  The <code class="option">-Q</code>
             forces <span><strong class="command">dnssec-signzone</strong></span> to remove
             signatures from keys that are no longer active. This
             enables ZSK rollover using the procedure described in
             RFC 4641, section 4.2.1.1 ("Pre-Publish Key Rollover").
           </p>
 </dd>
 <dt><span class="term">-R</span></dt>
 <dd>
 <p>
 	    Remove signatures from keys that are no longer published.
           </p>
 <p>
             This option is similar to <code class="option">-Q</code>, except it
             forces <span><strong class="command">dnssec-signzone</strong></span> to signatures from
             keys that are no longer published. This enables ZSK rollover
             using the procedure described in RFC 4641, section 4.2.1.2
             ("Double Signature Zone Signing Key Rollover").
           </p>
 </dd>
 <dt><span class="term">-r <em class="replaceable"><code>randomdev</code></em></span></dt>
 <dd><p>
             Specifies the source of randomness.  If the operating
             system does not provide a <code class="filename">/dev/random</code>
             or equivalent device, the default source of randomness
             is keyboard input.  <code class="filename">randomdev</code>
             specifies
             the name of a character device or file containing random
             data to be used instead of the default.  The special value
             <code class="filename">keyboard</code> indicates that keyboard
             input should be used.
           </p></dd>
 <dt><span class="term">-S</span></dt>
 <dd>
 <p>
             Smart signing: Instructs <span><strong class="command">dnssec-signzone</strong></span> to
             search the key repository for keys that match the zone being
             signed, and to include them in the zone if appropriate.
           </p>
 <p>
             When a key is found, its timing metadata is examined to
             determine how it should be used, according to the following
             rules.  Each successive rule takes priority over the prior
             ones:
           </p>
 <div class="variablelist"><dl>
 <dt></dt>
 <dd><p>
                   If no timing metadata has been set for the key, the key is
                   published in the zone and used to sign the zone.
                 </p></dd>
 <dt></dt>
 <dd><p>
                   If the key's publication date is set and is in the past, the
                   key is published in the zone.
                 </p></dd>
 <dt></dt>
 <dd><p>
                   If the key's activation date is set and in the past, the
                   key is published (regardless of publication date) and
                   used to sign the zone.  
                 </p></dd>
 <dt></dt>
 <dd><p>
                   If the key's revocation date is set and in the past, and the
                   key is published, then the key is revoked, and the revoked key
                   is used to sign the zone.
                 </p></dd>
 <dt></dt>
 <dd><p>
                   If either of the key's unpublication or deletion dates are set
                   and in the past, the key is NOT published or used to sign the
                   zone, regardless of any other metadata.
                 </p></dd>
 </dl></div>
 </dd>
 <dt><span class="term">-T <em class="replaceable"><code>ttl</code></em></span></dt>
 <dd><p>
             Specifies a TTL to be used for new DNSKEY records imported
             into the zone from the key repository.  If not
             specified, the default is the TTL value from the zone's SOA
             record.  This option is ignored when signing without
             <code class="option">-S</code>, since DNSKEY records are not imported
             from the key repository in that case.  It is also ignored if
             there are any pre-existing DNSKEY records at the zone apex,
             in which case new records' TTL values will be set to match
             them, or if any of the imported DNSKEY records had a default
             TTL value.  In the event of a a conflict between TTL values in
             imported keys, the shortest one is used.
           </p></dd>
 <dt><span class="term">-t</span></dt>
 <dd><p>
             Print statistics at completion.
           </p></dd>
 <dt><span class="term">-u</span></dt>
 <dd><p>
             Update NSEC/NSEC3 chain when re-signing a previously signed
             zone.  With this option, a zone signed with NSEC can be
             switched to NSEC3, or a zone signed with NSEC3 can
             be switch to NSEC or to NSEC3 with different parameters.
             Without this option, <span><strong class="command">dnssec-signzone</strong></span> will
             retain the existing chain when re-signing.
           </p></dd>
 <dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
 <dd><p>
             Sets the debugging level.
           </p></dd>
 <dt><span class="term">-x</span></dt>
 <dd><p>
             Only sign the DNSKEY RRset with key-signing keys, and omit
             signatures from zone-signing keys.  (This is similar to the
             <span><strong class="command">dnssec-dnskey-kskonly yes;</strong></span> zone option in
             <span><strong class="command">named</strong></span>.)
           </p></dd>
 <dt><span class="term">-z</span></dt>
 <dd><p>
             Ignore KSK flag on key when determining what to sign.  This
             causes KSK-flagged keys to sign all records, not just the
             DNSKEY RRset.  (This is similar to the
             <span><strong class="command">update-check-ksk no;</strong></span> zone option in
             <span><strong class="command">named</strong></span>.)
           </p></dd>
 <dt><span class="term">-3 <em class="replaceable"><code>salt</code></em></span></dt>
 <dd><p>
             Generate an NSEC3 chain with the given hex encoded salt.
 	    A dash (<em class="replaceable"><code>salt</code></em>) can
 	    be used to indicate that no salt is to be used when generating		    the NSEC3 chain.
           </p></dd>
 <dt><span class="term">-H <em class="replaceable"><code>iterations</code></em></span></dt>
 <dd><p>
 	    When generating an NSEC3 chain, use this many iterations.  The
 	    default is 10.
           </p></dd>
 <dt><span class="term">-A</span></dt>
 <dd>
 <p>
 	    When generating an NSEC3 chain set the OPTOUT flag on all
 	    NSEC3 records and do not generate NSEC3 records for insecure
 	    delegations.
           </p>
 <p>
 	    Using this option twice (i.e., <code class="option">-AA</code>)
 	    turns the OPTOUT flag off for all records.  This is useful
 	    when using the <code class="option">-u</code> option to modify an NSEC3
 	    chain which previously had OPTOUT set.
           </p>
 </dd>
 <dt><span class="term">zonefile</span></dt>
 <dd><p>
             The file containing the zone to be signed.
           </p></dd>
 <dt><span class="term">key</span></dt>
 <dd><p>
 	    Specify which keys should be used to sign the zone.  If
 	    no keys are specified, then the zone will be examined
 	    for DNSKEY records at the zone apex.  If these are found and
 	    there are matching private keys, in the current directory,
 	    then these will be used for signing.
           </p></dd>
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2670819"></a><h2>EXAMPLE</h2>
+<a name="id2676409"></a><h2>EXAMPLE</h2>
 <p>
       The following command signs the <strong class="userinput"><code>example.com</code></strong>
       zone with the DSA key generated by <span><strong class="command">dnssec-keygen</strong></span>
       (Kexample.com.+003+17247).  Because the <span><strong class="command">-S</strong></span> option
       is not being used, the zone's keys must be in the master file
       (<code class="filename">db.example.com</code>).  This invocation looks
       for <code class="filename">dsset</code> files, in the current directory,
       so that DS records can be imported from them (<span><strong class="command">-g</strong></span>).
     </p>
 <pre class="programlisting">% dnssec-signzone -g -o example.com db.example.com \
 Kexample.com.+003+17247
 db.example.com.signed
 %</pre>
 <p>
       In the above example, <span><strong class="command">dnssec-signzone</strong></span> creates
       the file <code class="filename">db.example.com.signed</code>.  This
       file should be referenced in a zone statement in a
       <code class="filename">named.conf</code> file.
     </p>
 <p>
       This example re-signs a previously signed zone with default parameters.
       The private keys are assumed to be in the current directory.
     </p>
 <pre class="programlisting">% cp db.example.com.signed db.example.com
 % dnssec-signzone -o example.com db.example.com
 db.example.com.signed
 %</pre>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2670898"></a><h2>SEE ALSO</h2>
+<a name="id2676488"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
       <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
       <em class="citetitle">RFC 4033</em>, <em class="citetitle">RFC 4641</em>.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2670925"></a><h2>AUTHOR</h2>
+<a name="id2676516"></a><h2>AUTHOR</h2>
 <p><span class="corpauthor">Internet Systems Consortium</span>
     </p>
 </div>
 </div>
 <div class="navfooter">
 <hr>
 <table width="100%" summary="Navigation footer">
 <tr>
 <td width="40%" align="left">
 <a accesskey="p" href="man.dnssec-settime.html">Prev</a> </td>
 <td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
 <td width="40%" align="right"> <a accesskey="n" href="man.dnssec-verify.html">Next</a>
 </td>
 </tr>
 <tr>
 <td width="40%" align="left" valign="top">
 <span class="application">dnssec-settime</span> </td>
 <td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
 <td width="40%" align="right" valign="top"> <span class="application">dnssec-verify</span>
 </td>
 </tr>
 </table>
 </div>
-<p style="text-align: center;">BIND 9.9.7 (Extended Support Version)</p>
+<p style="text-align: center;">BIND 9.9.7-P2 (Extended Support Version)</p>
 </body>
 </html>
Index: stable/9/contrib/bind9/doc/arm/man.dnssec-verify.html
===================================================================
--- stable/9/contrib/bind9/doc/arm/man.dnssec-verify.html	(revision 286123)
+++ stable/9/contrib/bind9/doc/arm/man.dnssec-verify.html	(revision 286124)
@@ -1,161 +1,161 @@
 <!--
  - Copyright (C) 2004-2015 Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000-2003 Internet Software Consortium.
  - 
  - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
  - copyright notice and this permission notice appear in all copies.
  - 
  - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
  - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
  - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
  - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
  - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 <!-- $Id$ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>dnssec-verify</title>
 <meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
 <link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
 <link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
 <link rel="prev" href="man.dnssec-signzone.html" title="dnssec-signzone">
 <link rel="next" href="man.named-checkconf.html" title="named-checkconf">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
 <div class="navheader">
 <table width="100%" summary="Navigation header">
 <tr><th colspan="3" align="center"><span class="application">dnssec-verify</span></th></tr>
 <tr>
 <td width="20%" align="left">
 <a accesskey="p" href="man.dnssec-signzone.html">Prev</a> </td>
 <th width="60%" align="center">Manual pages</th>
 <td width="20%" align="right"> <a accesskey="n" href="man.named-checkconf.html">Next</a>
 </td>
 </tr>
 </table>
 <hr>
 </div>
 <div class="refentry" lang="en">
 <a name="man.dnssec-verify"></a><div class="titlepage"></div>
 <div class="refnamediv">
 <h2>Name</h2>
 <p><span class="application">dnssec-verify</span> &#8212; DNSSEC zone verification tool</p>
 </div>
 <div class="refsynopsisdiv">
 <h2>Synopsis</h2>
 <div class="cmdsynopsis"><p><code class="command">dnssec-verify</code>  [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>] [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-V</code>] [<code class="option">-x</code>] [<code class="option">-z</code>] {zonefile}</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2631061"></a><h2>DESCRIPTION</h2>
+<a name="id2622588"></a><h2>DESCRIPTION</h2>
 <p><span><strong class="command">dnssec-verify</strong></span>
       verifies that a zone is fully signed for each algorithm found
       in the DNSKEY RRset for the zone, and that the NSEC / NSEC3
       chains are complete.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2631075"></a><h2>OPTIONS</h2>
+<a name="id2622602"></a><h2>OPTIONS</h2>
 <div class="variablelist"><dl>
 <dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
 <dd><p>
             Specifies the DNS class of the zone.
           </p></dd>
 <dt><span class="term">-I <em class="replaceable"><code>input-format</code></em></span></dt>
 <dd><p>
             The format of the input zone file.
 	    Possible formats are <span><strong class="command">"text"</strong></span> (default)
 	    and <span><strong class="command">"raw"</strong></span>.
 	    This option is primarily intended to be used for dynamic
             signed zones so that the dumped zone file in a non-text
             format containing updates can be verified independently.
 	    The use of this option does not make much sense for
 	    non-dynamic zones.
           </p></dd>
 <dt><span class="term">-o <em class="replaceable"><code>origin</code></em></span></dt>
 <dd><p>
             The zone origin.  If not specified, the name of the zone file
             is assumed to be the origin.
           </p></dd>
 <dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
 <dd><p>
             Sets the debugging level.
           </p></dd>
 <dt><span class="term">-V</span></dt>
 <dd><p>
 	    Prints version information.
 	  </p></dd>
 <dt><span class="term">-x</span></dt>
 <dd><p>
             Only verify that the DNSKEY RRset is signed with key-signing
             keys.  Without this flag, it is assumed that the DNSKEY RRset
             will be signed by all active keys.  When this flag is set,
             it will not be an error if the DNSKEY RRset is not signed
             by zone-signing keys.  This corresponds to the <code class="option">-x</code>
             option in <span><strong class="command">dnssec-signzone</strong></span>.
           </p></dd>
 <dt><span class="term">-z</span></dt>
 <dd>
 <p>
 	    Ignore the KSK flag on the keys when determining whether
             the zone if correctly signed.  Without this flag it is
 	    assumed that there will be a non-revoked, self-signed
 	    DNSKEY with the KSK flag set for each algorithm and
 	    that RRsets other than DNSKEY RRset will be signed with
             a different DNSKEY without the KSK flag set.
 	  </p>
 <p>
 	    With this flag set, we only require that for each algorithm,
             there will be at least one non-revoked, self-signed DNSKEY,
             regardless of the KSK flag state, and that other RRsets
 	    will be signed by a non-revoked key for the same algorithm
             that includes the self-signed key; the same key may be used
             for both purposes.  This corresponds to the <code class="option">-z</code>
             option in <span><strong class="command">dnssec-signzone</strong></span>.
 	  </p>
 </dd>
 <dt><span class="term">zonefile</span></dt>
 <dd><p>
             The file containing the zone to be signed.
           </p></dd>
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2635197"></a><h2>SEE ALSO</h2>
+<a name="id2627134"></a><h2>SEE ALSO</h2>
 <p>
       <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
       <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
       <em class="citetitle">RFC 4033</em>.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2635223"></a><h2>AUTHOR</h2>
+<a name="id2627160"></a><h2>AUTHOR</h2>
 <p><span class="corpauthor">Internet Systems Consortium</span>
     </p>
 </div>
 </div>
 <div class="navfooter">
 <hr>
 <table width="100%" summary="Navigation footer">
 <tr>
 <td width="40%" align="left">
 <a accesskey="p" href="man.dnssec-signzone.html">Prev</a> </td>
 <td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
 <td width="40%" align="right"> <a accesskey="n" href="man.named-checkconf.html">Next</a>
 </td>
 </tr>
 <tr>
 <td width="40%" align="left" valign="top">
 <span class="application">dnssec-signzone</span> </td>
 <td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
 <td width="40%" align="right" valign="top"> <span class="application">named-checkconf</span>
 </td>
 </tr>
 </table>
 </div>
-<p style="text-align: center;">BIND 9.9.7 (Extended Support Version)</p>
+<p style="text-align: center;">BIND 9.9.7-P2 (Extended Support Version)</p>
 </body>
 </html>
Index: stable/9/contrib/bind9/doc/arm/man.genrandom.html
===================================================================
--- stable/9/contrib/bind9/doc/arm/man.genrandom.html	(revision 286123)
+++ stable/9/contrib/bind9/doc/arm/man.genrandom.html	(revision 286124)
@@ -1,113 +1,113 @@
 <!--
  - Copyright (C) 2004-2015 Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000-2003 Internet Software Consortium.
  - 
  - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
  - copyright notice and this permission notice appear in all copies.
  - 
  - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
  - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
  - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
  - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
  - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 <!-- $Id$ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>genrandom</title>
 <meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
 <link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
 <link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
 <link rel="prev" href="man.arpaname.html" title="arpaname">
 <link rel="next" href="man.isc-hmac-fixup.html" title="isc-hmac-fixup">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
 <div class="navheader">
 <table width="100%" summary="Navigation header">
 <tr><th colspan="3" align="center"><span class="application">genrandom</span></th></tr>
 <tr>
 <td width="20%" align="left">
 <a accesskey="p" href="man.arpaname.html">Prev</a> </td>
 <th width="60%" align="center">Manual pages</th>
 <td width="20%" align="right"> <a accesskey="n" href="man.isc-hmac-fixup.html">Next</a>
 </td>
 </tr>
 </table>
 <hr>
 </div>
 <div class="refentry" lang="en">
 <a name="man.genrandom"></a><div class="titlepage"></div>
 <div class="refnamediv">
 <h2>Name</h2>
 <p><span class="application">genrandom</span> &#8212; generate a file containing random data</p>
 </div>
 <div class="refsynopsisdiv">
 <h2>Synopsis</h2>
 <div class="cmdsynopsis"><p><code class="command">genrandom</code>  [<code class="option">-n <em class="replaceable"><code>number</code></em></code>] {<em class="replaceable"><code>size</code></em>} {<em class="replaceable"><code>filename</code></em>}</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2659899"></a><h2>DESCRIPTION</h2>
+<a name="id2660574"></a><h2>DESCRIPTION</h2>
 <p>
       <span><strong class="command">genrandom</strong></span>
       generates a file or a set of files containing a specified quantity
       of pseudo-random data, which can be used as a source of entropy for
       other commands on systems with no random device.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2659914"></a><h2>ARGUMENTS</h2>
+<a name="id2660589"></a><h2>ARGUMENTS</h2>
 <div class="variablelist"><dl>
 <dt><span class="term">-n <em class="replaceable"><code>number</code></em></span></dt>
 <dd><p>
             In place of generating one file, generates <code class="option">number</code>
             (from 2 to 9) files, appending <code class="option">number</code> to the name.
           </p></dd>
 <dt><span class="term">size</span></dt>
 <dd><p>
             The size of the file, in kilobytes, to generate.
           </p></dd>
 <dt><span class="term">filename</span></dt>
 <dd><p>
             The file name into which random data should be written.
           </p></dd>
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2659975"></a><h2>SEE ALSO</h2>
+<a name="id2660650"></a><h2>SEE ALSO</h2>
 <p>
       <span class="citerefentry"><span class="refentrytitle">rand</span>(3)</span>,
       <span class="citerefentry"><span class="refentrytitle">arc4random</span>(3)</span>
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2660002"></a><h2>AUTHOR</h2>
+<a name="id2660677"></a><h2>AUTHOR</h2>
 <p><span class="corpauthor">Internet Systems Consortium</span>
     </p>
 </div>
 </div>
 <div class="navfooter">
 <hr>
 <table width="100%" summary="Navigation footer">
 <tr>
 <td width="40%" align="left">
 <a accesskey="p" href="man.arpaname.html">Prev</a> </td>
 <td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
 <td width="40%" align="right"> <a accesskey="n" href="man.isc-hmac-fixup.html">Next</a>
 </td>
 </tr>
 <tr>
 <td width="40%" align="left" valign="top">
 <span class="application">arpaname</span> </td>
 <td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
 <td width="40%" align="right" valign="top"> <span class="application">isc-hmac-fixup</span>
 </td>
 </tr>
 </table>
 </div>
-<p style="text-align: center;">BIND 9.9.7 (Extended Support Version)</p>
+<p style="text-align: center;">BIND 9.9.7-P2 (Extended Support Version)</p>
 </body>
 </html>
Index: stable/9/contrib/bind9/doc/arm/man.host.html
===================================================================
--- stable/9/contrib/bind9/doc/arm/man.host.html	(revision 286123)
+++ stable/9/contrib/bind9/doc/arm/man.host.html	(revision 286124)
@@ -1,254 +1,254 @@
 <!--
  - Copyright (C) 2004-2015 Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000-2003 Internet Software Consortium.
  - 
  - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
  - copyright notice and this permission notice appear in all copies.
  - 
  - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
  - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
  - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
  - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
  - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 <!-- $Id$ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>host</title>
 <meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
 <link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
 <link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
 <link rel="prev" href="man.dig.html" title="dig">
 <link rel="next" href="man.dnssec-checkds.html" title="dnssec-checkds">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
 <div class="navheader">
 <table width="100%" summary="Navigation header">
 <tr><th colspan="3" align="center">host</th></tr>
 <tr>
 <td width="20%" align="left">
 <a accesskey="p" href="man.dig.html">Prev</a> </td>
 <th width="60%" align="center">Manual pages</th>
 <td width="20%" align="right"> <a accesskey="n" href="man.dnssec-checkds.html">Next</a>
 </td>
 </tr>
 </table>
 <hr>
 </div>
 <div class="refentry" lang="en">
 <a name="man.host"></a><div class="titlepage"></div>
 <div class="refnamediv">
 <h2>Name</h2>
 <p>host &#8212; DNS lookup utility</p>
 </div>
 <div class="refsynopsisdiv">
 <h2>Synopsis</h2>
 <div class="cmdsynopsis"><p><code class="command">host</code>  [<code class="option">-aCdlnrsTwv</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-N <em class="replaceable"><code>ndots</code></em></code>] [<code class="option">-R <em class="replaceable"><code>number</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-W <em class="replaceable"><code>wait</code></em></code>] [<code class="option">-m <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-4</code>] [<code class="option">-6</code>] [<code class="option">-v</code>] [<code class="option">-V</code>] {name} [server]</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2613042"></a><h2>DESCRIPTION</h2>
+<a name="id2612829"></a><h2>DESCRIPTION</h2>
 <p><span><strong class="command">host</strong></span>
       is a simple utility for performing DNS lookups.
       It is normally used to convert names to IP addresses and vice versa.
       When no arguments or options are given,
       <span><strong class="command">host</strong></span>
       prints a short summary of its command line arguments and options.
     </p>
 <p><em class="parameter"><code>name</code></em> is the domain name that is to be
       looked
       up.  It can also be a dotted-decimal IPv4 address or a colon-delimited
       IPv6 address, in which case <span><strong class="command">host</strong></span> will by
       default
       perform a reverse lookup for that address.
       <em class="parameter"><code>server</code></em> is an optional argument which
       is either
       the name or IP address of the name server that <span><strong class="command">host</strong></span>
       should query instead of the server or servers listed in
       <code class="filename">/etc/resolv.conf</code>.
     </p>
 <p>
       The <code class="option">-a</code> (all) option is equivalent to setting the
       <code class="option">-v</code> option and asking <span><strong class="command">host</strong></span> to make
       a query of type ANY.
     </p>
 <p>
       When the <code class="option">-C</code> option is used, <span><strong class="command">host</strong></span>
       will attempt to display the SOA records for zone
       <em class="parameter"><code>name</code></em> from all the listed
       authoritative name
       servers for that zone.  The list of name servers is defined by the NS
       records that are found for the zone.
     </p>
 <p>
       The <code class="option">-c</code> option instructs to make a DNS query of class
       <em class="parameter"><code>class</code></em>.  This can be used to lookup
       Hesiod or
       Chaosnet class resource records.  The default class is IN (Internet).
     </p>
 <p>
       Verbose output is generated by <span><strong class="command">host</strong></span> when
       the
       <code class="option">-d</code> or <code class="option">-v</code> option is used.  The two
       options are equivalent.  They have been provided for backwards
       compatibility.  In previous versions, the <code class="option">-d</code> option
       switched on debugging traces and <code class="option">-v</code> enabled verbose
       output.
     </p>
 <p>
       List mode is selected by the <code class="option">-l</code> option.  This makes
       <span><strong class="command">host</strong></span> perform a zone transfer for zone
       <em class="parameter"><code>name</code></em>.  Transfer the zone printing out
       the NS, PTR
       and address records (A/AAAA).  If combined with <code class="option">-a</code>
       all records will be printed.
     </p>
 <p>
       The <code class="option">-i</code>
       option specifies that reverse lookups of IPv6 addresses should
       use the IP6.INT domain as defined in RFC1886.
       The default is to use IP6.ARPA.
     </p>
 <p>
       The <code class="option">-N</code> option sets the number of dots that have to be
       in <em class="parameter"><code>name</code></em> for it to be considered
       absolute.  The
       default value is that defined using the ndots statement in
       <code class="filename">/etc/resolv.conf</code>, or 1 if no ndots
       statement is
       present.  Names with fewer dots are interpreted as relative names and
       will be searched for in the domains listed in the <span class="type">search</span>
       or <span class="type">domain</span> directive in
       <code class="filename">/etc/resolv.conf</code>.
     </p>
 <p>
       The number of UDP retries for a lookup can be changed with the
       <code class="option">-R</code> option.  <em class="parameter"><code>number</code></em>
       indicates
       how many times <span><strong class="command">host</strong></span> will repeat a query
       that does
       not get answered.  The default number of retries is 1.  If
       <em class="parameter"><code>number</code></em> is negative or zero, the
       number of
       retries will default to 1.
     </p>
 <p>
       Non-recursive queries can be made via the <code class="option">-r</code> option.
       Setting this option clears the <span class="type">RD</span> &#8212; recursion
       desired &#8212; bit in the query which <span><strong class="command">host</strong></span> makes.
       This should mean that the name server receiving the query will not
       attempt to resolve <em class="parameter"><code>name</code></em>.  The
       <code class="option">-r</code> option enables <span><strong class="command">host</strong></span>
       to mimic
       the behavior of a name server by making non-recursive queries and
       expecting to receive answers to those queries that are usually
       referrals to other name servers.
     </p>
 <p>
       By default, <span><strong class="command">host</strong></span> uses UDP when making
       queries.  The
       <code class="option">-T</code> option makes it use a TCP connection when querying
       the name server.  TCP will be automatically selected for queries that
       require it, such as zone transfer (AXFR) requests.
     </p>
 <p>
       The <code class="option">-4</code> option forces <span><strong class="command">host</strong></span> to only
       use IPv4 query transport.  The <code class="option">-6</code> option forces
       <span><strong class="command">host</strong></span> to only use IPv6 query transport.
     </p>
 <p>
       The <code class="option">-t</code> option is used to select the query type.
       <em class="parameter"><code>type</code></em> can be any recognized query
       type: CNAME,
       NS, SOA, SIG, KEY, AXFR, etc.  When no query type is specified,
       <span><strong class="command">host</strong></span> automatically selects an appropriate
       query
       type.  By default, it looks for A, AAAA, and MX records, but if the
       <code class="option">-C</code> option was given, queries will be made for SOA
       records, and if <em class="parameter"><code>name</code></em> is a
       dotted-decimal IPv4
       address or colon-delimited IPv6 address, <span><strong class="command">host</strong></span> will
       query for PTR records.  If a query type of IXFR is chosen the starting
       serial number can be specified by appending an equal followed by the
       starting serial number (e.g. -t IXFR=12345678).
     </p>
 <p>
       The time to wait for a reply can be controlled through the
       <code class="option">-W</code> and <code class="option">-w</code> options.  The
       <code class="option">-W</code> option makes <span><strong class="command">host</strong></span>
       wait for
       <em class="parameter"><code>wait</code></em> seconds.  If <em class="parameter"><code>wait</code></em>
       is less than one, the wait interval is set to one second.  When the
       <code class="option">-w</code> option is used, <span><strong class="command">host</strong></span>
       will
       effectively wait forever for a reply.  The time to wait for a response
       will be set to the number of seconds given by the hardware's maximum
       value for an integer quantity.
     </p>
 <p>
       The <code class="option">-s</code> option tells <span><strong class="command">host</strong></span> 
       <span class="emphasis"><em>not</em></span> to send the query to the next nameserver
       if any server responds with a SERVFAIL response, which is the
       reverse of normal stub resolver behavior.
     </p>
 <p>
       The <code class="option">-m</code> can be used to set the memory usage debugging
       flags
       <em class="parameter"><code>record</code></em>, <em class="parameter"><code>usage</code></em> and
       <em class="parameter"><code>trace</code></em>.
     </p>
 <p>
       The <code class="option">-V</code> option causes <span><strong class="command">host</strong></span>
       to print the version number and exit.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2614183"></a><h2>IDN SUPPORT</h2>
+<a name="id2613356"></a><h2>IDN SUPPORT</h2>
 <p>
       If <span><strong class="command">host</strong></span> has been built with IDN (internationalized
       domain name) support, it can accept and display non-ASCII domain names. 
       <span><strong class="command">host</strong></span> appropriately converts character encoding of
       domain name before sending a request to DNS server or displaying a
       reply from the server.
       If you'd like to turn off the IDN support for some reason, defines
       the <code class="envar">IDN_DISABLE</code> environment variable.
       The IDN support is disabled if the variable is set when
       <span><strong class="command">host</strong></span> runs.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2614212"></a><h2>FILES</h2>
+<a name="id2615160"></a><h2>FILES</h2>
 <p><code class="filename">/etc/resolv.conf</code>
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2614226"></a><h2>SEE ALSO</h2>
+<a name="id2615174"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">dig</span>(1)</span>,
       <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>.
     </p>
 </div>
 </div>
 <div class="navfooter">
 <hr>
 <table width="100%" summary="Navigation footer">
 <tr>
 <td width="40%" align="left">
 <a accesskey="p" href="man.dig.html">Prev</a> </td>
 <td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
 <td width="40%" align="right"> <a accesskey="n" href="man.dnssec-checkds.html">Next</a>
 </td>
 </tr>
 <tr>
 <td width="40%" align="left" valign="top">dig </td>
 <td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
 <td width="40%" align="right" valign="top"> <span class="application">dnssec-checkds</span>
 </td>
 </tr>
 </table>
 </div>
-<p style="text-align: center;">BIND 9.9.7 (Extended Support Version)</p>
+<p style="text-align: center;">BIND 9.9.7-P2 (Extended Support Version)</p>
 </body>
 </html>
Index: stable/9/contrib/bind9/doc/arm/man.isc-hmac-fixup.html
===================================================================
--- stable/9/contrib/bind9/doc/arm/man.isc-hmac-fixup.html	(revision 286123)
+++ stable/9/contrib/bind9/doc/arm/man.isc-hmac-fixup.html	(revision 286124)
@@ -1,123 +1,123 @@
 <!--
  - Copyright (C) 2004-2015 Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000-2003 Internet Software Consortium.
  - 
  - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
  - copyright notice and this permission notice appear in all copies.
  - 
  - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
  - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
  - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
  - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
  - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 <!-- $Id$ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>isc-hmac-fixup</title>
 <meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
 <link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
 <link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
 <link rel="prev" href="man.genrandom.html" title="genrandom">
 <link rel="next" href="man.nsec3hash.html" title="nsec3hash">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
 <div class="navheader">
 <table width="100%" summary="Navigation header">
 <tr><th colspan="3" align="center"><span class="application">isc-hmac-fixup</span></th></tr>
 <tr>
 <td width="20%" align="left">
 <a accesskey="p" href="man.genrandom.html">Prev</a> </td>
 <th width="60%" align="center">Manual pages</th>
 <td width="20%" align="right"> <a accesskey="n" href="man.nsec3hash.html">Next</a>
 </td>
 </tr>
 </table>
 <hr>
 </div>
 <div class="refentry" lang="en">
 <a name="man.isc-hmac-fixup"></a><div class="titlepage"></div>
 <div class="refnamediv">
 <h2>Name</h2>
 <p><span class="application">isc-hmac-fixup</span> &#8212; fixes HMAC keys generated by older versions of BIND</p>
 </div>
 <div class="refsynopsisdiv">
 <h2>Synopsis</h2>
 <div class="cmdsynopsis"><p><code class="command">isc-hmac-fixup</code>  {<em class="replaceable"><code>algorithm</code></em>} {<em class="replaceable"><code>secret</code></em>}</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2660604"></a><h2>DESCRIPTION</h2>
+<a name="id2619978"></a><h2>DESCRIPTION</h2>
 <p>
       Versions of BIND 9 up to and including BIND 9.6 had a bug causing
       HMAC-SHA* TSIG keys which were longer than the digest length of the
       hash algorithm (i.e., SHA1 keys longer than 160 bits, SHA256 keys
       longer than 256 bits, etc) to be used incorrectly, generating a
       message authentication code that was incompatible with other DNS
       implementations.
     </p>
 <p>
       This bug has been fixed in BIND 9.7.  However, the fix may
       cause incompatibility between older and newer versions of
       BIND, when using long keys.  <span><strong class="command">isc-hmac-fixup</strong></span>
       modifies those keys to restore compatibility.
     </p>
 <p>
       To modify a key, run <span><strong class="command">isc-hmac-fixup</strong></span> and
       specify the key's algorithm and secret on the command line.  If the
       secret is longer than the digest length of the algorithm (64 bytes
       for SHA1 through SHA256, or 128 bytes for SHA384 and SHA512), then a
       new secret will be generated consisting of a hash digest of the old
       secret.  (If the secret did not require conversion, then it will be
       printed without modification.)
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2660632"></a><h2>SECURITY CONSIDERATIONS</h2>
+<a name="id2661376"></a><h2>SECURITY CONSIDERATIONS</h2>
 <p>
       Secrets that have been converted by <span><strong class="command">isc-hmac-fixup</strong></span>
       are shortened, but as this is how the HMAC protocol works in
       operation anyway, it does not affect security.  RFC 2104 notes,
       "Keys longer than [the digest length] are acceptable but the
       extra length would not significantly increase the function
       strength."
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2660648"></a><h2>SEE ALSO</h2>
+<a name="id2661392"></a><h2>SEE ALSO</h2>
 <p>
       <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
       <em class="citetitle">RFC 2104</em>.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2660665"></a><h2>AUTHOR</h2>
+<a name="id2661409"></a><h2>AUTHOR</h2>
 <p><span class="corpauthor">Internet Systems Consortium</span>
     </p>
 </div>
 </div>
 <div class="navfooter">
 <hr>
 <table width="100%" summary="Navigation footer">
 <tr>
 <td width="40%" align="left">
 <a accesskey="p" href="man.genrandom.html">Prev</a> </td>
 <td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
 <td width="40%" align="right"> <a accesskey="n" href="man.nsec3hash.html">Next</a>
 </td>
 </tr>
 <tr>
 <td width="40%" align="left" valign="top">
 <span class="application">genrandom</span> </td>
 <td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
 <td width="40%" align="right" valign="top"> <span class="application">nsec3hash</span>
 </td>
 </tr>
 </table>
 </div>
-<p style="text-align: center;">BIND 9.9.7 (Extended Support Version)</p>
+<p style="text-align: center;">BIND 9.9.7-P2 (Extended Support Version)</p>
 </body>
 </html>
Index: stable/9/contrib/bind9/doc/arm/man.named-checkconf.html
===================================================================
--- stable/9/contrib/bind9/doc/arm/man.named-checkconf.html	(revision 286123)
+++ stable/9/contrib/bind9/doc/arm/man.named-checkconf.html	(revision 286124)
@@ -1,162 +1,162 @@
 <!--
  - Copyright (C) 2004-2015 Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000-2003 Internet Software Consortium.
  - 
  - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
  - copyright notice and this permission notice appear in all copies.
  - 
  - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
  - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
  - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
  - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
  - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 <!-- $Id$ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>named-checkconf</title>
 <meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
 <link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
 <link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
 <link rel="prev" href="man.dnssec-verify.html" title="dnssec-verify">
 <link rel="next" href="man.named-checkzone.html" title="named-checkzone">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
 <div class="navheader">
 <table width="100%" summary="Navigation header">
 <tr><th colspan="3" align="center"><span class="application">named-checkconf</span></th></tr>
 <tr>
 <td width="20%" align="left">
 <a accesskey="p" href="man.dnssec-verify.html">Prev</a> </td>
 <th width="60%" align="center">Manual pages</th>
 <td width="20%" align="right"> <a accesskey="n" href="man.named-checkzone.html">Next</a>
 </td>
 </tr>
 </table>
 <hr>
 </div>
 <div class="refentry" lang="en">
 <a name="man.named-checkconf"></a><div class="titlepage"></div>
 <div class="refnamediv">
 <h2>Name</h2>
 <p><span class="application">named-checkconf</span> &#8212; named configuration file syntax checking tool</p>
 </div>
 <div class="refsynopsisdiv">
 <h2>Synopsis</h2>
 <div class="cmdsynopsis"><p><code class="command">named-checkconf</code>  [<code class="option">-h</code>] [<code class="option">-v</code>] [<code class="option">-j</code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] {filename} [<code class="option">-p</code>] [<code class="option">-x</code>] [<code class="option">-z</code>]</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2636230"></a><h2>DESCRIPTION</h2>
+<a name="id2628713"></a><h2>DESCRIPTION</h2>
 <p><span><strong class="command">named-checkconf</strong></span>
       checks the syntax, but not the semantics, of a
       <span><strong class="command">named</strong></span> configuration file.  The file is parsed
       and checked for syntax errors, along with all files included by it.
       If no file is specified, <code class="filename">/etc/named.conf</code> is read
       by default.
     </p>
 <p>
       Note: files that <span><strong class="command">named</strong></span> reads in separate
       parser contexts, such as <code class="filename">rndc.key</code> and
       <code class="filename">bind.keys</code>, are not automatically read
       by <span><strong class="command">named-checkconf</strong></span>.  Configuration
       errors in these files may cause <span><strong class="command">named</strong></span> to
       fail to run, even if <span><strong class="command">named-checkconf</strong></span> was
       successful.  <span><strong class="command">named-checkconf</strong></span> can be run
       on these files explicitly, however.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2636300"></a><h2>OPTIONS</h2>
+<a name="id2628784"></a><h2>OPTIONS</h2>
 <div class="variablelist"><dl>
 <dt><span class="term">-h</span></dt>
 <dd><p>
             Print the usage summary and exit.
           </p></dd>
 <dt><span class="term">-t <em class="replaceable"><code>directory</code></em></span></dt>
 <dd><p>
             Chroot to <code class="filename">directory</code> so that include
             directives in the configuration file are processed as if
             run by a similarly chrooted named.
           </p></dd>
 <dt><span class="term">-v</span></dt>
 <dd><p>
             Print the version of the <span><strong class="command">named-checkconf</strong></span>
             program and exit.
           </p></dd>
 <dt><span class="term">-p</span></dt>
 <dd><p>
 	    Print out the <code class="filename">named.conf</code> and included files
 	    in canonical form if no errors were detected.
           </p></dd>
 <dt><span class="term">-x</span></dt>
 <dd><p>
 	    When printing the configuration files in canonical
             form, obscure shared secrets by replacing them with
             strings of question marks ('?'). This allows the
             contents of <code class="filename">named.conf</code> and related
             files to be shared &#8212; for example, when submitting
             bug reports &#8212; without compromising private data.
             This option cannot be used without <code class="option">-p</code>.
           </p></dd>
 <dt><span class="term">-z</span></dt>
 <dd><p>
 	    Perform a test load of all master zones found in
 	    <code class="filename">named.conf</code>.
           </p></dd>
 <dt><span class="term">-j</span></dt>
 <dd><p>
             When loading a zonefile read the journal if it exists.
           </p></dd>
 <dt><span class="term">filename</span></dt>
 <dd><p>
             The name of the configuration file to be checked.  If not
             specified, it defaults to <code class="filename">/etc/named.conf</code>.
           </p></dd>
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2637002"></a><h2>RETURN VALUES</h2>
+<a name="id2634742"></a><h2>RETURN VALUES</h2>
 <p><span><strong class="command">named-checkconf</strong></span>
       returns an exit status of 1 if
       errors were detected and 0 otherwise.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2637016"></a><h2>SEE ALSO</h2>
+<a name="id2634824"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
       <span class="citerefentry"><span class="refentrytitle">named-checkzone</span>(8)</span>,
       <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2637046"></a><h2>AUTHOR</h2>
+<a name="id2634854"></a><h2>AUTHOR</h2>
 <p><span class="corpauthor">Internet Systems Consortium</span>
     </p>
 </div>
 </div>
 <div class="navfooter">
 <hr>
 <table width="100%" summary="Navigation footer">
 <tr>
 <td width="40%" align="left">
 <a accesskey="p" href="man.dnssec-verify.html">Prev</a> </td>
 <td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
 <td width="40%" align="right"> <a accesskey="n" href="man.named-checkzone.html">Next</a>
 </td>
 </tr>
 <tr>
 <td width="40%" align="left" valign="top">
 <span class="application">dnssec-verify</span> </td>
 <td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
 <td width="40%" align="right" valign="top"> <span class="application">named-checkzone</span>
 </td>
 </tr>
 </table>
 </div>
-<p style="text-align: center;">BIND 9.9.7 (Extended Support Version)</p>
+<p style="text-align: center;">BIND 9.9.7-P2 (Extended Support Version)</p>
 </body>
 </html>
Index: stable/9/contrib/bind9/doc/arm/man.named-checkzone.html
===================================================================
--- stable/9/contrib/bind9/doc/arm/man.named-checkzone.html	(revision 286123)
+++ stable/9/contrib/bind9/doc/arm/man.named-checkzone.html	(revision 286124)
@@ -1,332 +1,332 @@
 <!--
  - Copyright (C) 2004-2015 Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000-2003 Internet Software Consortium.
  - 
  - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
  - copyright notice and this permission notice appear in all copies.
  - 
  - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
  - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
  - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
  - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
  - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 <!-- $Id$ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>named-checkzone</title>
 <meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
 <link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
 <link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
 <link rel="prev" href="man.named-checkconf.html" title="named-checkconf">
 <link rel="next" href="man.named.html" title="named">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
 <div class="navheader">
 <table width="100%" summary="Navigation header">
 <tr><th colspan="3" align="center"><span class="application">named-checkzone</span></th></tr>
 <tr>
 <td width="20%" align="left">
 <a accesskey="p" href="man.named-checkconf.html">Prev</a> </td>
 <th width="60%" align="center">Manual pages</th>
 <td width="20%" align="right"> <a accesskey="n" href="man.named.html">Next</a>
 </td>
 </tr>
 </table>
 <hr>
 </div>
 <div class="refentry" lang="en">
 <a name="man.named-checkzone"></a><div class="titlepage"></div>
 <div class="refnamediv">
 <h2>Name</h2>
 <p><span class="application">named-checkzone</span>, <span class="application">named-compilezone</span> &#8212; zone file validity checking or converting tool</p>
 </div>
 <div class="refsynopsisdiv">
 <h2>Synopsis</h2>
 <div class="cmdsynopsis"><p><code class="command">named-checkzone</code>  [<code class="option">-d</code>] [<code class="option">-h</code>] [<code class="option">-j</code>] [<code class="option">-q</code>] [<code class="option">-v</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-f <em class="replaceable"><code>format</code></em></code>] [<code class="option">-F <em class="replaceable"><code>format</code></em></code>] [<code class="option">-i <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-k <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-m <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-M <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-n <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-L <em class="replaceable"><code>serial</code></em></code>] [<code class="option">-o <em class="replaceable"><code>filename</code></em></code>] [<code class="option">-r <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-s <em class="replaceable"><code>style</code></em></code>] [<code class="option">-S <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-T <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-w <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-D</code>] [<code class="option">-W <em class="replaceable"><code>mode</code></em></code>] {zonename} {filename}</p></div>
 <div class="cmdsynopsis"><p><code class="command">named-compilezone</code>  [<code class="option">-d</code>] [<code class="option">-j</code>] [<code class="option">-q</code>] [<code class="option">-v</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-C <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-f <em class="replaceable"><code>format</code></em></code>] [<code class="option">-F <em class="replaceable"><code>format</code></em></code>] [<code class="option">-i <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-k <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-m <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-n <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-L <em class="replaceable"><code>serial</code></em></code>] [<code class="option">-r <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-s <em class="replaceable"><code>style</code></em></code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-T <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-w <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-D</code>] [<code class="option">-W <em class="replaceable"><code>mode</code></em></code>] {<code class="option">-o <em class="replaceable"><code>filename</code></em></code>} {zonename} {filename}</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2641434"></a><h2>DESCRIPTION</h2>
+<a name="id2641427"></a><h2>DESCRIPTION</h2>
 <p><span><strong class="command">named-checkzone</strong></span>
       checks the syntax and integrity of a zone file.  It performs the
       same checks as <span><strong class="command">named</strong></span> does when loading a
       zone.  This makes <span><strong class="command">named-checkzone</strong></span> useful for
       checking zone files before configuring them into a name server.
     </p>
 <p>
         <span><strong class="command">named-compilezone</strong></span> is similar to
 	<span><strong class="command">named-checkzone</strong></span>, but it always dumps the
         zone contents to a specified file in a specified format.
 	Additionally, it applies stricter check levels by default,
         since the dump output will be used as an actual zone file
 	loaded by <span><strong class="command">named</strong></span>.
 	When manually specified otherwise, the check levels must at
         least be as strict as those specified in the
 	<span><strong class="command">named</strong></span> configuration file.
      </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2679168"></a><h2>OPTIONS</h2>
+<a name="id2641477"></a><h2>OPTIONS</h2>
 <div class="variablelist"><dl>
 <dt><span class="term">-d</span></dt>
 <dd><p>
             Enable debugging.
           </p></dd>
 <dt><span class="term">-h</span></dt>
 <dd><p>
             Print the usage summary and exit.
           </p></dd>
 <dt><span class="term">-q</span></dt>
 <dd><p>
             Quiet mode - exit code only.
           </p></dd>
 <dt><span class="term">-v</span></dt>
 <dd><p>
             Print the version of the <span><strong class="command">named-checkzone</strong></span>
             program and exit.
           </p></dd>
 <dt><span class="term">-j</span></dt>
 <dd><p>
             When loading the zone file read the journal if it exists.
           </p></dd>
 <dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
 <dd><p>
             Specify the class of the zone.  If not specified, "IN" is assumed.
           </p></dd>
 <dt><span class="term">-i <em class="replaceable"><code>mode</code></em></span></dt>
 <dd>
 <p>
 	      Perform post-load zone integrity checks.  Possible modes are
 	      <span><strong class="command">"full"</strong></span> (default),
 	      <span><strong class="command">"full-sibling"</strong></span>,
 	      <span><strong class="command">"local"</strong></span>,
 	      <span><strong class="command">"local-sibling"</strong></span> and
 	      <span><strong class="command">"none"</strong></span>.
 	  </p>
 <p>
 	      Mode <span><strong class="command">"full"</strong></span> checks that MX records
 	      refer to A or AAAA record (both in-zone and out-of-zone
 	      hostnames).  Mode <span><strong class="command">"local"</strong></span> only
 	      checks MX records which refer to in-zone hostnames.
 	  </p>
 <p>
 	      Mode <span><strong class="command">"full"</strong></span> checks that SRV records
 	      refer to A or AAAA record (both in-zone and out-of-zone
 	      hostnames).  Mode <span><strong class="command">"local"</strong></span> only
 	      checks SRV records which refer to in-zone hostnames.
 	  </p>
 <p>
 	      Mode <span><strong class="command">"full"</strong></span> checks that delegation NS
 	      records refer to A or AAAA record (both in-zone and out-of-zone
 	      hostnames).  It also checks that glue address records
 	      in the zone match those advertised by the child.
 	      Mode <span><strong class="command">"local"</strong></span> only checks NS records which
 	      refer to in-zone hostnames or that some required glue exists,
 	      that is when the nameserver is in a child zone.
 	  </p>
 <p>
 	      Mode <span><strong class="command">"full-sibling"</strong></span> and
 	      <span><strong class="command">"local-sibling"</strong></span> disable sibling glue
 	      checks but are otherwise the same as <span><strong class="command">"full"</strong></span>
 	      and <span><strong class="command">"local"</strong></span> respectively.
 	  </p>
 <p>
 	      Mode <span><strong class="command">"none"</strong></span> disables the checks.
 	  </p>
 </dd>
 <dt><span class="term">-f <em class="replaceable"><code>format</code></em></span></dt>
 <dd><p>
 	    Specify the format of the zone file.
 	    Possible formats are <span><strong class="command">"text"</strong></span> (default)
 	    and <span><strong class="command">"raw"</strong></span>.
 	  </p></dd>
 <dt><span class="term">-F <em class="replaceable"><code>format</code></em></span></dt>
 <dd>
 <p>
 	    Specify the format of the output file specified.
 	    For <span><strong class="command">named-checkzone</strong></span>,
 	    this does not cause any effects unless it dumps the zone
 	    contents.
 	  </p>
 <p>
 	    Possible formats are <span><strong class="command">"text"</strong></span> (default)
 	    and <span><strong class="command">"raw"</strong></span> or <span><strong class="command">"raw=N"</strong></span>,
             which store the zone in a binary format for rapid loading
             by <span><strong class="command">named</strong></span>.  <span><strong class="command">"raw=N"</strong></span>
             specifies the format version of the raw zone file: if N
             is 0, the raw file can be read by any version of
             <span><strong class="command">named</strong></span>; if N is 1, the file can be read
             by release 9.9.0 or higher.  The default is 1.
 	  </p>
 </dd>
 <dt><span class="term">-k <em class="replaceable"><code>mode</code></em></span></dt>
 <dd><p>
             Perform <span><strong class="command">"check-names"</strong></span> checks with the
 	    specified failure mode.
             Possible modes are <span><strong class="command">"fail"</strong></span>
 	    (default for <span><strong class="command">named-compilezone</strong></span>),
             <span><strong class="command">"warn"</strong></span>
 	    (default for <span><strong class="command">named-checkzone</strong></span>) and
             <span><strong class="command">"ignore"</strong></span>.
           </p></dd>
 <dt><span class="term">-L <em class="replaceable"><code>serial</code></em></span></dt>
 <dd><p>
             When compiling a zone to 'raw' format, set the "source serial" 
             value in the header to the specified serial number.  (This is
             expected to be used primarily for testing purposes.)
           </p></dd>
 <dt><span class="term">-m <em class="replaceable"><code>mode</code></em></span></dt>
 <dd><p>
             Specify whether MX records should be checked to see if they
             are addresses.  Possible modes are <span><strong class="command">"fail"</strong></span>,
             <span><strong class="command">"warn"</strong></span> (default) and
             <span><strong class="command">"ignore"</strong></span>.
           </p></dd>
 <dt><span class="term">-M <em class="replaceable"><code>mode</code></em></span></dt>
 <dd><p>
 	    Check if a MX record refers to a CNAME.
             Possible modes are <span><strong class="command">"fail"</strong></span>,
             <span><strong class="command">"warn"</strong></span> (default) and
             <span><strong class="command">"ignore"</strong></span>.
 	  </p></dd>
 <dt><span class="term">-n <em class="replaceable"><code>mode</code></em></span></dt>
 <dd><p>
             Specify whether NS records should be checked to see if they
             are addresses.
 	    Possible modes are <span><strong class="command">"fail"</strong></span>
 	    (default for <span><strong class="command">named-compilezone</strong></span>),
             <span><strong class="command">"warn"</strong></span>
 	    (default for <span><strong class="command">named-checkzone</strong></span>) and
             <span><strong class="command">"ignore"</strong></span>.
           </p></dd>
 <dt><span class="term">-o <em class="replaceable"><code>filename</code></em></span></dt>
 <dd><p>
             Write zone output to <code class="filename">filename</code>.
 	    If <code class="filename">filename</code> is <code class="filename">-</code> then
 	    write to standard out.
 	    This is mandatory for <span><strong class="command">named-compilezone</strong></span>.
           </p></dd>
 <dt><span class="term">-r <em class="replaceable"><code>mode</code></em></span></dt>
 <dd><p>
             Check for records that are treated as different by DNSSEC but
 	    are semantically equal in plain DNS.  
             Possible modes are <span><strong class="command">"fail"</strong></span>,
             <span><strong class="command">"warn"</strong></span> (default) and
             <span><strong class="command">"ignore"</strong></span>.
 	  </p></dd>
 <dt><span class="term">-s <em class="replaceable"><code>style</code></em></span></dt>
 <dd><p>
 	    Specify the style of the dumped zone file.
 	    Possible styles are <span><strong class="command">"full"</strong></span> (default)
 	    and <span><strong class="command">"relative"</strong></span>.
 	    The full format is most suitable for processing
 	    automatically by a separate script.
 	    On the other hand, the relative format is more
 	    human-readable and is thus suitable for editing by hand.
 	    For <span><strong class="command">named-checkzone</strong></span>
 	    this does not cause any effects unless it dumps the zone
 	    contents.
 	    It also does not have any meaning if the output format
 	    is not text.
 	  </p></dd>
 <dt><span class="term">-S <em class="replaceable"><code>mode</code></em></span></dt>
 <dd><p>
 	    Check if a SRV record refers to a CNAME.
             Possible modes are <span><strong class="command">"fail"</strong></span>,
             <span><strong class="command">"warn"</strong></span> (default) and
             <span><strong class="command">"ignore"</strong></span>.
 	  </p></dd>
 <dt><span class="term">-t <em class="replaceable"><code>directory</code></em></span></dt>
 <dd><p>
             Chroot to <code class="filename">directory</code> so that
             include
             directives in the configuration file are processed as if
             run by a similarly chrooted named.
           </p></dd>
 <dt><span class="term">-T <em class="replaceable"><code>mode</code></em></span></dt>
 <dd><p>
 	    Check if Sender Policy Framework (SPF) records exist
 	    and issues a warning if an SPF-formatted TXT record is
 	    not also present.  Possible modes are <span><strong class="command">"warn"</strong></span>
 	    (default), <span><strong class="command">"ignore"</strong></span>.
 	  </p></dd>
 <dt><span class="term">-w <em class="replaceable"><code>directory</code></em></span></dt>
 <dd><p>
             chdir to <code class="filename">directory</code> so that
             relative
             filenames in master file $INCLUDE directives work.  This
             is similar to the directory clause in
             <code class="filename">named.conf</code>.
           </p></dd>
 <dt><span class="term">-D</span></dt>
 <dd><p>
             Dump zone file in canonical format.
 	    This is always enabled for <span><strong class="command">named-compilezone</strong></span>.
           </p></dd>
 <dt><span class="term">-W <em class="replaceable"><code>mode</code></em></span></dt>
 <dd><p>
             Specify whether to check for non-terminal wildcards.
             Non-terminal wildcards are almost always the result of a
             failure to understand the wildcard matching algorithm (RFC 1034).
             Possible modes are <span><strong class="command">"warn"</strong></span> (default)
             and
             <span><strong class="command">"ignore"</strong></span>.
           </p></dd>
 <dt><span class="term">zonename</span></dt>
 <dd><p>
             The domain name of the zone being checked.
           </p></dd>
 <dt><span class="term">filename</span></dt>
 <dd><p>
             The name of the zone file.
           </p></dd>
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2680008"></a><h2>RETURN VALUES</h2>
+<a name="id2679728"></a><h2>RETURN VALUES</h2>
 <p><span><strong class="command">named-checkzone</strong></span>
       returns an exit status of 1 if
       errors were detected and 0 otherwise.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2680090"></a><h2>SEE ALSO</h2>
+<a name="id2679741"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
       <span class="citerefentry"><span class="refentrytitle">named-checkconf</span>(8)</span>,
       <em class="citetitle">RFC 1035</em>,
       <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2680123"></a><h2>AUTHOR</h2>
+<a name="id2679774"></a><h2>AUTHOR</h2>
 <p><span class="corpauthor">Internet Systems Consortium</span>
     </p>
 </div>
 </div>
 <div class="navfooter">
 <hr>
 <table width="100%" summary="Navigation footer">
 <tr>
 <td width="40%" align="left">
 <a accesskey="p" href="man.named-checkconf.html">Prev</a> </td>
 <td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
 <td width="40%" align="right"> <a accesskey="n" href="man.named.html">Next</a>
 </td>
 </tr>
 <tr>
 <td width="40%" align="left" valign="top">
 <span class="application">named-checkconf</span> </td>
 <td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
 <td width="40%" align="right" valign="top"> <span class="application">named</span>
 </td>
 </tr>
 </table>
 </div>
-<p style="text-align: center;">BIND 9.9.7 (Extended Support Version)</p>
+<p style="text-align: center;">BIND 9.9.7-P2 (Extended Support Version)</p>
 </body>
 </html>
Index: stable/9/contrib/bind9/doc/arm/man.named-journalprint.html
===================================================================
--- stable/9/contrib/bind9/doc/arm/man.named-journalprint.html	(revision 286123)
+++ stable/9/contrib/bind9/doc/arm/man.named-journalprint.html	(revision 286124)
@@ -1,113 +1,113 @@
 <!--
  - Copyright (C) 2004-2015 Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000-2003 Internet Software Consortium.
  - 
  - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
  - copyright notice and this permission notice appear in all copies.
  - 
  - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
  - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
  - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
  - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
  - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 <!-- $Id$ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>named-journalprint</title>
 <meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
 <link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
 <link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
 <link rel="prev" href="man.named.html" title="named">
 <link rel="next" href="man.nsupdate.html" title="nsupdate">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
 <div class="navheader">
 <table width="100%" summary="Navigation header">
 <tr><th colspan="3" align="center"><span class="application">named-journalprint</span></th></tr>
 <tr>
 <td width="20%" align="left">
 <a accesskey="p" href="man.named.html">Prev</a> </td>
 <th width="60%" align="center">Manual pages</th>
 <td width="20%" align="right"> <a accesskey="n" href="man.nsupdate.html">Next</a>
 </td>
 </tr>
 </table>
 <hr>
 </div>
 <div class="refentry" lang="en">
 <a name="man.named-journalprint"></a><div class="titlepage"></div>
 <div class="refnamediv">
 <h2>Name</h2>
 <p><span class="application">named-journalprint</span> &#8212; print zone journal in human-readable form</p>
 </div>
 <div class="refsynopsisdiv">
 <h2>Synopsis</h2>
 <div class="cmdsynopsis"><p><code class="command">named-journalprint</code>  {<em class="replaceable"><code>journal</code></em>}</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2616510"></a><h2>DESCRIPTION</h2>
+<a name="id2615069"></a><h2>DESCRIPTION</h2>
 <p>
       <span><strong class="command">named-journalprint</strong></span>
       prints the contents of a zone journal file in a human-readable
       form. 
     </p>
 <p>
       Journal files are automatically created by <span><strong class="command">named</strong></span> 
       when changes are made to dynamic zones (e.g., by
       <span><strong class="command">nsupdate</strong></span>).  They record each addition
       or deletion of a resource record, in binary format, allowing the
       changes to be re-applied to the zone when the server is
       restarted after a shutdown or crash.  By default, the name of
       the journal file is formed by appending the extension
       <code class="filename">.jnl</code> to the name of the corresponding
       zone file.
     </p>
 <p>
       <span><strong class="command">named-journalprint</strong></span> converts the contents of a given
       journal file into a human-readable text format.  Each line begins
       with "add" or "del", to indicate whether the record was added or
       deleted, and continues with the resource record in master-file
       format.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2643931"></a><h2>SEE ALSO</h2>
+<a name="id2642968"></a><h2>SEE ALSO</h2>
 <p>
       <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
       <span class="citerefentry"><span class="refentrytitle">nsupdate</span>(8)</span>,
       <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2643962"></a><h2>AUTHOR</h2>
+<a name="id2642999"></a><h2>AUTHOR</h2>
 <p><span class="corpauthor">Internet Systems Consortium</span>
     </p>
 </div>
 </div>
 <div class="navfooter">
 <hr>
 <table width="100%" summary="Navigation footer">
 <tr>
 <td width="40%" align="left">
 <a accesskey="p" href="man.named.html">Prev</a> </td>
 <td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
 <td width="40%" align="right"> <a accesskey="n" href="man.nsupdate.html">Next</a>
 </td>
 </tr>
 <tr>
 <td width="40%" align="left" valign="top">
 <span class="application">named</span> </td>
 <td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
 <td width="40%" align="right" valign="top"> <span class="application">nsupdate</span>
 </td>
 </tr>
 </table>
 </div>
-<p style="text-align: center;">BIND 9.9.7 (Extended Support Version)</p>
+<p style="text-align: center;">BIND 9.9.7-P2 (Extended Support Version)</p>
 </body>
 </html>
Index: stable/9/contrib/bind9/doc/arm/man.named.html
===================================================================
--- stable/9/contrib/bind9/doc/arm/man.named.html	(revision 286123)
+++ stable/9/contrib/bind9/doc/arm/man.named.html	(revision 286124)
@@ -1,351 +1,351 @@
 <!--
  - Copyright (C) 2004-2015 Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000-2003 Internet Software Consortium.
  - 
  - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
  - copyright notice and this permission notice appear in all copies.
  - 
  - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
  - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
  - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
  - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
  - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 <!-- $Id$ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>named</title>
 <meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
 <link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
 <link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
 <link rel="prev" href="man.named-checkzone.html" title="named-checkzone">
 <link rel="next" href="man.named-journalprint.html" title="named-journalprint">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
 <div class="navheader">
 <table width="100%" summary="Navigation header">
 <tr><th colspan="3" align="center"><span class="application">named</span></th></tr>
 <tr>
 <td width="20%" align="left">
 <a accesskey="p" href="man.named-checkzone.html">Prev</a> </td>
 <th width="60%" align="center">Manual pages</th>
 <td width="20%" align="right"> <a accesskey="n" href="man.named-journalprint.html">Next</a>
 </td>
 </tr>
 </table>
 <hr>
 </div>
 <div class="refentry" lang="en">
 <a name="man.named"></a><div class="titlepage"></div>
 <div class="refnamediv">
 <h2>Name</h2>
 <p><span class="application">named</span> &#8212; Internet domain name server</p>
 </div>
 <div class="refsynopsisdiv">
 <h2>Synopsis</h2>
 <div class="cmdsynopsis"><p><code class="command">named</code>  [<code class="option">-4</code>] [<code class="option">-6</code>] [<code class="option">-c <em class="replaceable"><code>config-file</code></em></code>] [<code class="option">-d <em class="replaceable"><code>debug-level</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine-name</code></em></code>] [<code class="option">-f</code>] [<code class="option">-g</code>] [<code class="option">-m <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-n <em class="replaceable"><code>#cpus</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port</code></em></code>] [<code class="option">-s</code>] [<code class="option">-S <em class="replaceable"><code>#max-socks</code></em></code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-U <em class="replaceable"><code>#listeners</code></em></code>] [<code class="option">-u <em class="replaceable"><code>user</code></em></code>] [<code class="option">-v</code>] [<code class="option">-V</code>] [<code class="option">-x <em class="replaceable"><code>cache-file</code></em></code>]</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2642637"></a><h2>DESCRIPTION</h2>
+<a name="id2642152"></a><h2>DESCRIPTION</h2>
 <p><span><strong class="command">named</strong></span>
       is a Domain Name System (DNS) server,
       part of the BIND 9 distribution from ISC.  For more
       information on the DNS, see RFCs 1033, 1034, and 1035.
     </p>
 <p>
       When invoked without arguments, <span><strong class="command">named</strong></span>
       will
       read the default configuration file
       <code class="filename">/etc/named.conf</code>, read any initial
       data, and listen for queries.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2642668"></a><h2>OPTIONS</h2>
+<a name="id2642183"></a><h2>OPTIONS</h2>
 <div class="variablelist"><dl>
 <dt><span class="term">-4</span></dt>
 <dd><p>
             Use IPv4 only even if the host machine is capable of IPv6.
             <code class="option">-4</code> and <code class="option">-6</code> are mutually
             exclusive.
           </p></dd>
 <dt><span class="term">-6</span></dt>
 <dd><p>
             Use IPv6 only even if the host machine is capable of IPv4.
             <code class="option">-4</code> and <code class="option">-6</code> are mutually
             exclusive.
           </p></dd>
 <dt><span class="term">-c <em class="replaceable"><code>config-file</code></em></span></dt>
 <dd><p>
             Use <em class="replaceable"><code>config-file</code></em> as the
             configuration file instead of the default,
             <code class="filename">/etc/named.conf</code>.  To
             ensure that reloading the configuration file continues
             to work after the server has changed its working
             directory due to to a possible
             <code class="option">directory</code> option in the configuration
             file, <em class="replaceable"><code>config-file</code></em> should be
             an absolute pathname.
           </p></dd>
 <dt><span class="term">-d <em class="replaceable"><code>debug-level</code></em></span></dt>
 <dd><p>
             Set the daemon's debug level to <em class="replaceable"><code>debug-level</code></em>.
             Debugging traces from <span><strong class="command">named</strong></span> become
             more verbose as the debug level increases.
           </p></dd>
 <dt><span class="term">-E <em class="replaceable"><code>engine-name</code></em></span></dt>
 <dd><p>
             Use a crypto hardware (OpenSSL engine) for the crypto operations
             it supports, for instance re-signing with private keys from
             a secure key store. When compiled with PKCS#11 support
             <em class="replaceable"><code>engine-name</code></em>
             defaults to pkcs11, the empty name resets it to no engine.
           </p></dd>
 <dt><span class="term">-f</span></dt>
 <dd><p>
             Run the server in the foreground (i.e. do not daemonize).
           </p></dd>
 <dt><span class="term">-g</span></dt>
 <dd><p>
             Run the server in the foreground and force all logging
             to <code class="filename">stderr</code>.
           </p></dd>
 <dt><span class="term">-m <em class="replaceable"><code>flag</code></em></span></dt>
 <dd><p>
 	    Turn on memory usage debugging flags.  Possible flags are
 	    <em class="replaceable"><code>usage</code></em>,
 	    <em class="replaceable"><code>trace</code></em>,
 	    <em class="replaceable"><code>record</code></em>,
 	    <em class="replaceable"><code>size</code></em>, and
 	    <em class="replaceable"><code>mctx</code></em>.
 	    These correspond to the ISC_MEM_DEBUGXXXX flags described in
 	    <code class="filename">&lt;isc/mem.h&gt;</code>.
           </p></dd>
 <dt><span class="term">-n <em class="replaceable"><code>#cpus</code></em></span></dt>
 <dd><p>
             Create <em class="replaceable"><code>#cpus</code></em> worker threads
             to take advantage of multiple CPUs.  If not specified,
             <span><strong class="command">named</strong></span> will try to determine the
             number of CPUs present and create one thread per CPU.
             If it is unable to determine the number of CPUs, a
             single worker thread will be created.
           </p></dd>
 <dt><span class="term">-p <em class="replaceable"><code>port</code></em></span></dt>
 <dd><p>
             Listen for queries on port <em class="replaceable"><code>port</code></em>.  If not
             specified, the default is port 53.
           </p></dd>
 <dt><span class="term">-s</span></dt>
 <dd>
 <p>
             Write memory usage statistics to <code class="filename">stdout</code> on exit.
           </p>
 <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
 <h3 class="title">Note</h3>
 <p>
               This option is mainly of interest to BIND 9 developers
               and may be removed or changed in a future release.
             </p>
 </div>
 </dd>
 <dt><span class="term">-S <em class="replaceable"><code>#max-socks</code></em></span></dt>
 <dd>
 <p>
 	    Allow <span><strong class="command">named</strong></span> to use up to
 	    <em class="replaceable"><code>#max-socks</code></em> sockets.
 	  </p>
 <div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;">
 <h3 class="title">Warning</h3>
 <p>
               This option should be unnecessary for the vast majority
               of users.
 	      The use of this option could even be harmful because the
               specified value may exceed the limitation of the
               underlying system API.
 	      It is therefore set only when the default configuration
               causes exhaustion of file descriptors and the
               operational environment is known to support the
               specified number of sockets.
 	      Note also that the actual maximum number is normally a little
               fewer than the specified value because
 	      <span><strong class="command">named</strong></span> reserves some file descriptors
 	      for its internal use.
             </p>
 </div>
 </dd>
 <dt><span class="term">-t <em class="replaceable"><code>directory</code></em></span></dt>
 <dd>
 <p>Chroot
 	    to <em class="replaceable"><code>directory</code></em> after
             processing the command line arguments, but before
             reading the configuration file.
           </p>
 <div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;">
 <h3 class="title">Warning</h3>
 <p>
               This option should be used in conjunction with the
               <code class="option">-u</code> option, as chrooting a process
               running as root doesn't enhance security on most
               systems; the way <code class="function">chroot(2)</code> is
               defined allows a process with root privileges to
               escape a chroot jail.
             </p>
 </div>
 </dd>
 <dt><span class="term">-U <em class="replaceable"><code>#listeners</code></em></span></dt>
 <dd><p>
             Use <em class="replaceable"><code>#listeners</code></em>
             worker threads to listen for incoming UDP packets on each
             address.  If not specified, <span><strong class="command">named</strong></span> will
             calculate a default value based on the number of detected
             CPUs: 1 for 1 CPU, 2 for 2-4 CPUs, and the number of
             detected CPUs divided by 2 for values higher than 4.
             If <code class="option">-n</code> has been set to a higher value than
             the number of detected CPUs, then <code class="option">-U</code> may
             be increased as high as that value, but no higher.
           </p></dd>
 <dt><span class="term">-u <em class="replaceable"><code>user</code></em></span></dt>
 <dd>
 <p>Setuid
 	    to <em class="replaceable"><code>user</code></em> after completing
             privileged operations, such as creating sockets that
             listen on privileged ports.
           </p>
 <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
 <h3 class="title">Note</h3>
 <p>
               On Linux, <span><strong class="command">named</strong></span> uses the kernel's
               		capability mechanism to drop all root privileges
               except the ability to <code class="function">bind(2)</code> to
               a
               privileged port and set process resource limits.
               Unfortunately, this means that the <code class="option">-u</code>
               option only works when <span><strong class="command">named</strong></span> is
               run
               on kernel 2.2.18 or later, or kernel 2.3.99-pre3 or
               later, since previous kernels did not allow privileges
               to be retained after <code class="function">setuid(2)</code>.
             </p>
 </div>
 </dd>
 <dt><span class="term">-v</span></dt>
 <dd><p>
             Report the version number and exit.
           </p></dd>
 <dt><span class="term">-V</span></dt>
 <dd><p>
             Report the version number and build options, and exit.
           </p></dd>
 <dt><span class="term">-x <em class="replaceable"><code>cache-file</code></em></span></dt>
 <dd>
 <p>
             Load data from <em class="replaceable"><code>cache-file</code></em> into the
             cache of the default view.
           </p>
 <div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;">
 <h3 class="title">Warning</h3>
 <p>
               This option must not be used.  It is only of interest
               to BIND 9 developers and may be removed or changed in a
               future release.
             </p>
 </div>
 </dd>
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2680257"></a><h2>SIGNALS</h2>
+<a name="id2665845"></a><h2>SIGNALS</h2>
 <p>
       In routine operation, signals should not be used to control
       the nameserver; <span><strong class="command">rndc</strong></span> should be used
       instead.
     </p>
 <div class="variablelist"><dl>
 <dt><span class="term">SIGHUP</span></dt>
 <dd><p>
             Force a reload of the server.
           </p></dd>
 <dt><span class="term">SIGINT, SIGTERM</span></dt>
 <dd><p>
             Shut down the server.
           </p></dd>
 </dl></div>
 <p>
       The result of sending any other signals to the server is undefined.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2680307"></a><h2>CONFIGURATION</h2>
+<a name="id2665895"></a><h2>CONFIGURATION</h2>
 <p>
       The <span><strong class="command">named</strong></span> configuration file is too complex
       to describe in detail here.  A complete description is provided
       in the
       <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
     </p>
 <p>
       <span><strong class="command">named</strong></span> inherits the <code class="function">umask</code>
       (file creation mode mask) from the parent process. If files
       created by <span><strong class="command">named</strong></span>, such as journal files,
       need to have custom permissions, the <code class="function">umask</code>
       should be set explicitly in the script used to start the
       <span><strong class="command">named</strong></span> process.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2680356"></a><h2>FILES</h2>
+<a name="id2665944"></a><h2>FILES</h2>
 <div class="variablelist"><dl>
 <dt><span class="term"><code class="filename">/etc/named.conf</code></span></dt>
 <dd><p>
             The default configuration file.
           </p></dd>
 <dt><span class="term"><code class="filename">/var/run/named/named.pid</code></span></dt>
 <dd><p>
             The default process-id file.
           </p></dd>
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2680400"></a><h2>SEE ALSO</h2>
+<a name="id2679914"></a><h2>SEE ALSO</h2>
 <p><em class="citetitle">RFC 1033</em>,
       <em class="citetitle">RFC 1034</em>,
       <em class="citetitle">RFC 1035</em>,
       <span class="citerefentry"><span class="refentrytitle">named-checkconf</span>(8)</span>,
       <span class="citerefentry"><span class="refentrytitle">named-checkzone</span>(8)</span>,
       <span class="citerefentry"><span class="refentrytitle">rndc</span>(8)</span>,
       <span class="citerefentry"><span class="refentrytitle">lwresd</span>(8)</span>,
       <span class="citerefentry"><span class="refentrytitle">named.conf</span>(5)</span>,
       <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2680470"></a><h2>AUTHOR</h2>
+<a name="id2679985"></a><h2>AUTHOR</h2>
 <p><span class="corpauthor">Internet Systems Consortium</span>
     </p>
 </div>
 </div>
 <div class="navfooter">
 <hr>
 <table width="100%" summary="Navigation footer">
 <tr>
 <td width="40%" align="left">
 <a accesskey="p" href="man.named-checkzone.html">Prev</a> </td>
 <td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
 <td width="40%" align="right"> <a accesskey="n" href="man.named-journalprint.html">Next</a>
 </td>
 </tr>
 <tr>
 <td width="40%" align="left" valign="top">
 <span class="application">named-checkzone</span> </td>
 <td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
 <td width="40%" align="right" valign="top"> <span class="application">named-journalprint</span>
 </td>
 </tr>
 </table>
 </div>
-<p style="text-align: center;">BIND 9.9.7 (Extended Support Version)</p>
+<p style="text-align: center;">BIND 9.9.7-P2 (Extended Support Version)</p>
 </body>
 </html>
Index: stable/9/contrib/bind9/doc/arm/man.nsec3hash.html
===================================================================
--- stable/9/contrib/bind9/doc/arm/man.nsec3hash.html	(revision 286123)
+++ stable/9/contrib/bind9/doc/arm/man.nsec3hash.html	(revision 286124)
@@ -1,114 +1,114 @@
 <!--
  - Copyright (C) 2004-2015 Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000-2003 Internet Software Consortium.
  - 
  - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
  - copyright notice and this permission notice appear in all copies.
  - 
  - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
  - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
  - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
  - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
  - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 <!-- $Id$ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>nsec3hash</title>
 <meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
 <link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
 <link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
 <link rel="prev" href="man.isc-hmac-fixup.html" title="isc-hmac-fixup">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
 <div class="navheader">
 <table width="100%" summary="Navigation header">
 <tr><th colspan="3" align="center"><span class="application">nsec3hash</span></th></tr>
 <tr>
 <td width="20%" align="left">
 <a accesskey="p" href="man.isc-hmac-fixup.html">Prev</a> </td>
 <th width="60%" align="center">Manual pages</th>
 <td width="20%" align="right"> </td>
 </tr>
 </table>
 <hr>
 </div>
 <div class="refentry" lang="en">
 <a name="man.nsec3hash"></a><div class="titlepage"></div>
 <div class="refnamediv">
 <h2>Name</h2>
 <p><span class="application">nsec3hash</span> &#8212; generate NSEC3 hash</p>
 </div>
 <div class="refsynopsisdiv">
 <h2>Synopsis</h2>
 <div class="cmdsynopsis"><p><code class="command">nsec3hash</code>  {<em class="replaceable"><code>salt</code></em>} {<em class="replaceable"><code>algorithm</code></em>} {<em class="replaceable"><code>iterations</code></em>} {<em class="replaceable"><code>domain</code></em>}</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2661120"></a><h2>DESCRIPTION</h2>
+<a name="id2661658"></a><h2>DESCRIPTION</h2>
 <p>
       <span><strong class="command">nsec3hash</strong></span> generates an NSEC3 hash based on
       a set of NSEC3 parameters.  This can be used to check the validity
       of NSEC3 records in a signed zone.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2661134"></a><h2>ARGUMENTS</h2>
+<a name="id2661673"></a><h2>ARGUMENTS</h2>
 <div class="variablelist"><dl>
 <dt><span class="term">salt</span></dt>
 <dd><p>
             The salt provided to the hash algorithm.
           </p></dd>
 <dt><span class="term">algorithm</span></dt>
 <dd><p>
             A number indicating the hash algorithm.  Currently the
             only supported hash algorithm for NSEC3 is SHA-1, which is
             indicated by the number 1; consequently "1" is the only
             useful value for this argument.
           </p></dd>
 <dt><span class="term">iterations</span></dt>
 <dd><p>
             The number of additional times the hash should be performed.
           </p></dd>
 <dt><span class="term">domain</span></dt>
 <dd><p>
             The domain name to be hashed.
           </p></dd>
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2661196"></a><h2>SEE ALSO</h2>
+<a name="id2661735"></a><h2>SEE ALSO</h2>
 <p>
       <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
       <em class="citetitle">RFC 5155</em>.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2661213"></a><h2>AUTHOR</h2>
+<a name="id2661752"></a><h2>AUTHOR</h2>
 <p><span class="corpauthor">Internet Systems Consortium</span>
     </p>
 </div>
 </div>
 <div class="navfooter">
 <hr>
 <table width="100%" summary="Navigation footer">
 <tr>
 <td width="40%" align="left">
 <a accesskey="p" href="man.isc-hmac-fixup.html">Prev</a> </td>
 <td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
 <td width="40%" align="right"> </td>
 </tr>
 <tr>
 <td width="40%" align="left" valign="top">
 <span class="application">isc-hmac-fixup</span> </td>
 <td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
 <td width="40%" align="right" valign="top"> </td>
 </tr>
 </table>
 </div>
-<p style="text-align: center;">BIND 9.9.7 (Extended Support Version)</p>
+<p style="text-align: center;">BIND 9.9.7-P2 (Extended Support Version)</p>
 </body>
 </html>
Index: stable/9/contrib/bind9/doc/arm/man.nsupdate.html
===================================================================
--- stable/9/contrib/bind9/doc/arm/man.nsupdate.html	(revision 286123)
+++ stable/9/contrib/bind9/doc/arm/man.nsupdate.html	(revision 286124)
@@ -1,647 +1,647 @@
 <!--
  - Copyright (C) 2004-2015 Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000-2003 Internet Software Consortium.
  - 
  - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
  - copyright notice and this permission notice appear in all copies.
  - 
  - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
  - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
  - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
  - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
  - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 <!-- $Id$ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>nsupdate</title>
 <meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
 <link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
 <link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
 <link rel="prev" href="man.named-journalprint.html" title="named-journalprint">
 <link rel="next" href="man.rndc.html" title="rndc">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
 <div class="navheader">
 <table width="100%" summary="Navigation header">
 <tr><th colspan="3" align="center"><span class="application">nsupdate</span></th></tr>
 <tr>
 <td width="20%" align="left">
 <a accesskey="p" href="man.named-journalprint.html">Prev</a> </td>
 <th width="60%" align="center">Manual pages</th>
 <td width="20%" align="right"> <a accesskey="n" href="man.rndc.html">Next</a>
 </td>
 </tr>
 </table>
 <hr>
 </div>
 <div class="refentry" lang="en">
 <a name="man.nsupdate"></a><div class="titlepage"></div>
 <div class="refnamediv">
 <h2>Name</h2>
 <p><span class="application">nsupdate</span> &#8212; Dynamic DNS update utility</p>
 </div>
 <div class="refsynopsisdiv">
 <h2>Synopsis</h2>
 <div class="cmdsynopsis"><p><code class="command">nsupdate</code>  [<code class="option">-d</code>] [<code class="option">-D</code>] [[<code class="option">-g</code>] |  [<code class="option">-o</code>] |  [<code class="option">-l</code>] |  [<code class="option">-y <em class="replaceable"><code>[<span class="optional">hmac:</span>]keyname:secret</code></em></code>] |  [<code class="option">-k <em class="replaceable"><code>keyfile</code></em></code>]] [<code class="option">-t <em class="replaceable"><code>timeout</code></em></code>] [<code class="option">-u <em class="replaceable"><code>udptimeout</code></em></code>] [<code class="option">-r <em class="replaceable"><code>udpretries</code></em></code>] [<code class="option">-R <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-v</code>] [<code class="option">-V</code>] [filename]</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2644219"></a><h2>DESCRIPTION</h2>
+<a name="id2643939"></a><h2>DESCRIPTION</h2>
 <p><span><strong class="command">nsupdate</strong></span>
       is used to submit Dynamic DNS Update requests as defined in RFC 2136
       to a name server.
       This allows resource records to be added or removed from a zone
       without manually editing the zone file.
       A single update request can contain requests to add or remove more than
       one
       resource record.
     </p>
 <p>
       Zones that are under dynamic control via
       <span><strong class="command">nsupdate</strong></span>
       or a DHCP server should not be edited by hand.
       Manual edits could
       conflict with dynamic updates and cause data to be lost.
     </p>
 <p>
       The resource records that are dynamically added or removed with
       <span><strong class="command">nsupdate</strong></span>
       have to be in the same zone.
       Requests are sent to the zone's master server.
       This is identified by the MNAME field of the zone's SOA record.
     </p>
 <p>
       The
       <code class="option">-d</code>
       option makes
       <span><strong class="command">nsupdate</strong></span>
       operate in debug mode.
       This provides tracing information about the update requests that are
       made and the replies received from the name server.
     </p>
 <p>
       The <code class="option">-D</code> option makes <span><strong class="command">nsupdate</strong></span>
       report additional debugging information to <code class="option">-d</code>.
     </p>
 <p>
       The <code class="option">-L</code> option with an integer argument of zero or
       higher sets the logging debug level.  If zero, logging is disabled.
     </p>
 <p>
       Transaction signatures can be used to authenticate the Dynamic
       DNS updates.  These use the TSIG resource record type described
       in RFC 2845 or the SIG(0) record described in RFC 2535 and
       RFC 2931 or GSS-TSIG as described in RFC 3645.  TSIG relies on
       a shared secret that should only be known to
       <span><strong class="command">nsupdate</strong></span> and the name server.  Currently,
       the only supported encryption algorithm for TSIG is HMAC-MD5,
       which is defined in RFC 2104.  Once other algorithms are
       defined for TSIG, applications will need to ensure they select
       the appropriate algorithm as well as the key when authenticating
       each other.  For instance, suitable <span class="type">key</span> and
       <span class="type">server</span> statements would be added to
       <code class="filename">/etc/named.conf</code> so that the name server
       can associate the appropriate secret key and algorithm with
       the IP address of the client application that will be using
       TSIG authentication.  SIG(0) uses public key cryptography.
       To use a SIG(0) key, the public key must be stored in a KEY
       record in a zone served by the name server.
       <span><strong class="command">nsupdate</strong></span> does not read
       <code class="filename">/etc/named.conf</code>.
     </p>
 <p>
       GSS-TSIG uses Kerberos credentials.  Standard GSS-TSIG mode
       is switched on with the <code class="option">-g</code> flag.  A
       non-standards-compliant variant of GSS-TSIG used by Windows
       2000 can be switched on with the <code class="option">-o</code> flag.
     </p>
 <p><span><strong class="command">nsupdate</strong></span>
       uses the <code class="option">-y</code> or <code class="option">-k</code> option
       to provide the shared secret needed to generate a TSIG record
       for authenticating Dynamic DNS update requests, default type
       HMAC-MD5.  These options are mutually exclusive. 
     </p>
 <p>
       When the <code class="option">-y</code> option is used, a signature is
       generated from
       [<span class="optional"><em class="parameter"><code>hmac:</code></em></span>]<em class="parameter"><code>keyname:secret.</code></em>
       <em class="parameter"><code>keyname</code></em> is the name of the key, and
       <em class="parameter"><code>secret</code></em> is the base64 encoded shared secret.
       <em class="parameter"><code>hmac</code></em> is the name of the key algorithm;
       valid choices are <code class="literal">hmac-md5</code>,
       <code class="literal">hmac-sha1</code>, <code class="literal">hmac-sha224</code>,
       <code class="literal">hmac-sha256</code>, <code class="literal">hmac-sha384</code>, or
       <code class="literal">hmac-sha512</code>.  If <em class="parameter"><code>hmac</code></em>
       is not specified, the default is <code class="literal">hmac-md5</code>.
       NOTE: Use of the <code class="option">-y</code> option is discouraged because the
       shared secret is supplied as a command line argument in clear text.
       This may be visible in the output from
       <span class="citerefentry"><span class="refentrytitle">ps</span>(1)</span>
       or in a history file maintained by the user's shell.
     </p>
 <p>
       With the
       <code class="option">-k</code> option, <span><strong class="command">nsupdate</strong></span> reads
       the shared secret from the file <em class="parameter"><code>keyfile</code></em>.
       Keyfiles may be in two formats: a single file containing
       a <code class="filename">named.conf</code>-format <span><strong class="command">key</strong></span>
       statement, which may be generated automatically by
       <span><strong class="command">ddns-confgen</strong></span>, or a pair of files whose names are
       of the format <code class="filename">K{name}.+157.+{random}.key</code> and
       <code class="filename">K{name}.+157.+{random}.private</code>, which can be
       generated by <span><strong class="command">dnssec-keygen</strong></span>.
       The <code class="option">-k</code> may also be used to specify a SIG(0) key used
       to authenticate Dynamic DNS update requests.  In this case, the key
       specified is not an HMAC-MD5 key.
     </p>
 <p>
       <span><strong class="command">nsupdate</strong></span> can be run in a local-host only mode
       using the <code class="option">-l</code> flag.  This sets the server address to
       localhost (disabling the <span><strong class="command">server</strong></span> so that the server
       address cannot be overridden).  Connections to the local server will
       use a TSIG key found in <code class="filename">/var/run/named/session.key</code>,
       which is automatically generated by <span><strong class="command">named</strong></span> if any
       local master zone has set <span><strong class="command">update-policy</strong></span> to
       <span><strong class="command">local</strong></span>.  The location of this key file can be
       overridden with the <code class="option">-k</code> option.
     </p>
 <p>
       By default, <span><strong class="command">nsupdate</strong></span>
       uses UDP to send update requests to the name server unless they are too
       large to fit in a UDP request in which case TCP will be used.
       The
       <code class="option">-v</code>
       option makes
       <span><strong class="command">nsupdate</strong></span>
       use a TCP connection.
       This may be preferable when a batch of update requests is made.
     </p>
 <p>
       The <code class="option">-p</code> sets the default port number to use for
       connections to a name server.  The default is 53.
     </p>
 <p>
       The <code class="option">-t</code> option sets the maximum time an update request
       can
       take before it is aborted.  The default is 300 seconds.  Zero can be
       used
       to disable the timeout.
     </p>
 <p>
       The <code class="option">-u</code> option sets the UDP retry interval.  The default
       is
       3 seconds.  If zero, the interval will be computed from the timeout
       interval
       and number of UDP retries.
     </p>
 <p>
       The <code class="option">-r</code> option sets the number of UDP retries. The
       default is
       3.  If zero, only one update request will be made.
     </p>
 <p>
       The <code class="option">-R <em class="replaceable"><code>randomdev</code></em></code> option
       specifies a source of randomness.  If the operating system
       does not provide a <code class="filename">/dev/random</code> or
       equivalent device, the default source of randomness is keyboard
       input.  <code class="filename">randomdev</code> specifies the name of
       a character device or file containing random data to be used
       instead of the default.  The special value
       <code class="filename">keyboard</code> indicates that keyboard input
       should be used.  This option may be specified multiple times.
     </p>
 <p>
       The -V option causes <span><strong class="command">nsupdate</strong></span> to print the
       version number and exit.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2645159"></a><h2>INPUT FORMAT</h2>
+<a name="id2680104"></a><h2>INPUT FORMAT</h2>
 <p><span><strong class="command">nsupdate</strong></span>
       reads input from
       <em class="parameter"><code>filename</code></em>
       or standard input.
       Each command is supplied on exactly one line of input.
       Some commands are for administrative purposes.
       The others are either update instructions or prerequisite checks on the
       contents of the zone.
       These checks set conditions that some name or set of
       resource records (RRset) either exists or is absent from the zone.
       These conditions must be met if the entire update request is to succeed.
       Updates will be rejected if the tests for the prerequisite conditions
       fail.
     </p>
 <p>
       Every update request consists of zero or more prerequisites
       and zero or more updates.
       This allows a suitably authenticated update request to proceed if some
       specified resource records are present or missing from the zone.
       A blank input line (or the <span><strong class="command">send</strong></span> command)
       causes the
       accumulated commands to be sent as one Dynamic DNS update request to the
       name server.
     </p>
 <p>
       The command formats and their meaning are as follows:
       </p>
 <div class="variablelist"><dl>
 <dt><span class="term">
               <span><strong class="command">server</strong></span>
                {servername}
                [port]
             </span></dt>
 <dd><p>
               Sends all dynamic update requests to the name server
               <em class="parameter"><code>servername</code></em>.
               When no server statement is provided,
               <span><strong class="command">nsupdate</strong></span>
               will send updates to the master server of the correct zone.
               The MNAME field of that zone's SOA record will identify the
               master
               server for that zone.
               <em class="parameter"><code>port</code></em>
               is the port number on
               <em class="parameter"><code>servername</code></em>
               where the dynamic update requests get sent.
               If no port number is specified, the default DNS port number of
               53 is
               used.
             </p></dd>
 <dt><span class="term">
               <span><strong class="command">local</strong></span>
                {address}
                [port]
             </span></dt>
 <dd><p>
               Sends all dynamic update requests using the local
               <em class="parameter"><code>address</code></em>.
 
               When no local statement is provided,
               <span><strong class="command">nsupdate</strong></span>
               will send updates using an address and port chosen by the
               system.
               <em class="parameter"><code>port</code></em>
               can additionally be used to make requests come from a specific
               port.
               If no port number is specified, the system will assign one.
             </p></dd>
 <dt><span class="term">
               <span><strong class="command">zone</strong></span>
                {zonename}
             </span></dt>
 <dd><p>
               Specifies that all updates are to be made to the zone
               <em class="parameter"><code>zonename</code></em>.
               If no
               <em class="parameter"><code>zone</code></em>
               statement is provided,
               <span><strong class="command">nsupdate</strong></span>
               will attempt determine the correct zone to update based on the
               rest of the input.
             </p></dd>
 <dt><span class="term">
               <span><strong class="command">class</strong></span>
                {classname}
             </span></dt>
 <dd><p>
               Specify the default class.
               If no <em class="parameter"><code>class</code></em> is specified, the
               default class is
               <em class="parameter"><code>IN</code></em>.
             </p></dd>
 <dt><span class="term">
               <span><strong class="command">ttl</strong></span>
                {seconds}
             </span></dt>
 <dd><p>
               Specify the default time to live for records to be added.
 	      The value <em class="parameter"><code>none</code></em> will clear the default
 	      ttl.
             </p></dd>
 <dt><span class="term">
               <span><strong class="command">key</strong></span>
                [hmac:] {keyname}
                {secret}
             </span></dt>
 <dd><p>
               Specifies that all updates are to be TSIG-signed using the
               <em class="parameter"><code>keyname</code></em> <em class="parameter"><code>secret</code></em> pair.
               If <em class="parameter"><code>hmac</code></em> is specified, then it sets the
               signing algorithm in use; the default is
               <code class="literal">hmac-md5</code>.  The <span><strong class="command">key</strong></span>
               command overrides any key specified on the command line via
               <code class="option">-y</code> or <code class="option">-k</code>.
             </p></dd>
 <dt><span class="term">
             <span><strong class="command">gsstsig</strong></span>
           </span></dt>
 <dd><p>
 	      Use GSS-TSIG to sign the updated.  This is equivalent to
 	      specifying <code class="option">-g</code> on the commandline.
             </p></dd>
 <dt><span class="term">
             <span><strong class="command">oldgsstsig</strong></span>
           </span></dt>
 <dd><p>
 	      Use the Windows 2000 version of GSS-TSIG to sign the updated.
 	      This is equivalent to specifying <code class="option">-o</code> on the
 	      commandline.
             </p></dd>
 <dt><span class="term">
             <span><strong class="command">realm</strong></span>
              {[<span class="optional">realm_name</span>]}
           </span></dt>
 <dd><p>
 	      When using GSS-TSIG use <em class="parameter"><code>realm_name</code></em> rather
 	      than the default realm in <code class="filename">krb5.conf</code>.  If no
 	      realm is specified the saved realm is cleared.
             </p></dd>
 <dt><span class="term">
               <span><strong class="command">[<span class="optional">prereq</span>] nxdomain</strong></span>
                {domain-name}
             </span></dt>
 <dd><p>
               Requires that no resource record of any type exists with name
               <em class="parameter"><code>domain-name</code></em>.
             </p></dd>
 <dt><span class="term">
               <span><strong class="command">[<span class="optional">prereq</span>] yxdomain</strong></span>
                {domain-name}
             </span></dt>
 <dd><p>
               Requires that
               <em class="parameter"><code>domain-name</code></em>
               exists (has as at least one resource record, of any type).
             </p></dd>
 <dt><span class="term">
               <span><strong class="command">[<span class="optional">prereq</span>] nxrrset</strong></span>
                {domain-name}
                [class]
                {type}
             </span></dt>
 <dd><p>
               Requires that no resource record exists of the specified
               <em class="parameter"><code>type</code></em>,
               <em class="parameter"><code>class</code></em>
               and
               <em class="parameter"><code>domain-name</code></em>.
               If
               <em class="parameter"><code>class</code></em>
               is omitted, IN (internet) is assumed.
             </p></dd>
 <dt><span class="term">
               <span><strong class="command">[<span class="optional">prereq</span>] yxrrset</strong></span>
                {domain-name}
                [class]
                {type}
             </span></dt>
 <dd><p>
               This requires that a resource record of the specified
               <em class="parameter"><code>type</code></em>,
               <em class="parameter"><code>class</code></em>
               and
               <em class="parameter"><code>domain-name</code></em>
               must exist.
               If
               <em class="parameter"><code>class</code></em>
               is omitted, IN (internet) is assumed.
             </p></dd>
 <dt><span class="term">
               <span><strong class="command">[<span class="optional">prereq</span>] yxrrset</strong></span>
                {domain-name}
                [class]
                {type}
                {data...}
             </span></dt>
 <dd><p>
               The
               <em class="parameter"><code>data</code></em>
               from each set of prerequisites of this form
               sharing a common
               <em class="parameter"><code>type</code></em>,
               <em class="parameter"><code>class</code></em>,
               and
               <em class="parameter"><code>domain-name</code></em>
               are combined to form a set of RRs.  This set of RRs must
               exactly match the set of RRs existing in the zone at the
               given
               <em class="parameter"><code>type</code></em>,
               <em class="parameter"><code>class</code></em>,
               and
               <em class="parameter"><code>domain-name</code></em>.
               The
               <em class="parameter"><code>data</code></em>
               are written in the standard text representation of the resource
               record's
               RDATA.
             </p></dd>
 <dt><span class="term">
               <span><strong class="command">[<span class="optional">update</span>] del[<span class="optional">ete</span>]</strong></span>
                {domain-name}
                [ttl]
                [class]
                [type [data...]]
             </span></dt>
 <dd><p>
               Deletes any resource records named
               <em class="parameter"><code>domain-name</code></em>.
               If
               <em class="parameter"><code>type</code></em>
               and
               <em class="parameter"><code>data</code></em>
               is provided, only matching resource records will be removed.
               The internet class is assumed if
               <em class="parameter"><code>class</code></em>
               is not supplied.  The
               <em class="parameter"><code>ttl</code></em>
               is ignored, and is only allowed for compatibility.
             </p></dd>
 <dt><span class="term">
               <span><strong class="command">[<span class="optional">update</span>] add</strong></span>
                {domain-name}
                {ttl}
                [class]
                {type}
                {data...}
             </span></dt>
 <dd><p>
               Adds a new resource record with the specified
               <em class="parameter"><code>ttl</code></em>,
               <em class="parameter"><code>class</code></em>
               and
               <em class="parameter"><code>data</code></em>.
             </p></dd>
 <dt><span class="term">
               <span><strong class="command">show</strong></span>
             </span></dt>
 <dd><p>
               Displays the current message, containing all of the
               prerequisites and
               updates specified since the last send.
             </p></dd>
 <dt><span class="term">
               <span><strong class="command">send</strong></span>
             </span></dt>
 <dd><p>
               Sends the current message.  This is equivalent to entering a
               blank line.
             </p></dd>
 <dt><span class="term">
               <span><strong class="command">answer</strong></span>
             </span></dt>
 <dd><p>
               Displays the answer.
             </p></dd>
 <dt><span class="term">
               <span><strong class="command">debug</strong></span>
             </span></dt>
 <dd><p>
               Turn on debugging.
             </p></dd>
 <dt><span class="term">
               <span><strong class="command">version</strong></span>
             </span></dt>
 <dd><p>
               Print version number.
             </p></dd>
 <dt><span class="term">
               <span><strong class="command">help</strong></span>
             </span></dt>
 <dd><p>
               Print a list of commands.
             </p></dd>
 </dl></div>
 <p>
     </p>
 <p>
       Lines beginning with a semicolon are comments and are ignored.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2681779"></a><h2>EXAMPLES</h2>
+<a name="id2681225"></a><h2>EXAMPLES</h2>
 <p>
       The examples below show how
       <span><strong class="command">nsupdate</strong></span>
       could be used to insert and delete resource records from the
       <span class="type">example.com</span>
       zone.
       Notice that the input in each example contains a trailing blank line so
       that
       a group of commands are sent as one dynamic update request to the
       master name server for
       <span class="type">example.com</span>.
 
       </p>
 <pre class="programlisting">
 # nsupdate
 &gt; update delete oldhost.example.com A
 &gt; update add newhost.example.com 86400 A 172.16.1.1
 &gt; send
 </pre>
 <p>
     </p>
 <p>
       Any A records for
       <span class="type">oldhost.example.com</span>
       are deleted.
       And an A record for
       <span class="type">newhost.example.com</span>
       with IP address 172.16.1.1 is added.
       The newly-added record has a 1 day TTL (86400 seconds).
       </p>
 <pre class="programlisting">
 # nsupdate
 &gt; prereq nxdomain nickname.example.com
 &gt; update add nickname.example.com 86400 CNAME somehost.example.com
 &gt; send
 </pre>
 <p>
     </p>
 <p>
       The prerequisite condition gets the name server to check that there
       are no resource records of any type for
       <span class="type">nickname.example.com</span>.
 
       If there are, the update request fails.
       If this name does not exist, a CNAME for it is added.
       This ensures that when the CNAME is added, it cannot conflict with the
       long-standing rule in RFC 1034 that a name must not exist as any other
       record type if it exists as a CNAME.
       (The rule has been updated for DNSSEC in RFC 2535 to allow CNAMEs to have
       RRSIG, DNSKEY and NSEC records.)
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2681829"></a><h2>FILES</h2>
+<a name="id2681275"></a><h2>FILES</h2>
 <div class="variablelist"><dl>
 <dt><span class="term"><code class="constant">/etc/resolv.conf</code></span></dt>
 <dd><p>
             used to identify default name server
           </p></dd>
 <dt><span class="term"><code class="constant">/var/run/named/session.key</code></span></dt>
 <dd><p>
             sets the default TSIG key for use in local-only mode
           </p></dd>
 <dt><span class="term"><code class="constant">K{name}.+157.+{random}.key</code></span></dt>
 <dd><p>
             base-64 encoding of HMAC-MD5 key created by
             <span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>.
           </p></dd>
 <dt><span class="term"><code class="constant">K{name}.+157.+{random}.private</code></span></dt>
 <dd><p>
             base-64 encoding of HMAC-MD5 key created by
             <span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>.
           </p></dd>
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2681912"></a><h2>SEE ALSO</h2>
+<a name="id2681427"></a><h2>SEE ALSO</h2>
 <p>
       <em class="citetitle">RFC 2136</em>,
       <em class="citetitle">RFC 3007</em>,
       <em class="citetitle">RFC 2104</em>,
       <em class="citetitle">RFC 2845</em>,
       <em class="citetitle">RFC 1034</em>,
       <em class="citetitle">RFC 2535</em>,
       <em class="citetitle">RFC 2931</em>,
       <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
       <span class="citerefentry"><span class="refentrytitle">ddns-confgen</span>(8)</span>,
       <span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2681970"></a><h2>BUGS</h2>
+<a name="id2681484"></a><h2>BUGS</h2>
 <p>
       The TSIG key is redundantly stored in two separate files.
       This is a consequence of nsupdate using the DST library
       for its cryptographic operations, and may change in future
       releases.
     </p>
 </div>
 </div>
 <div class="navfooter">
 <hr>
 <table width="100%" summary="Navigation footer">
 <tr>
 <td width="40%" align="left">
 <a accesskey="p" href="man.named-journalprint.html">Prev</a> </td>
 <td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
 <td width="40%" align="right"> <a accesskey="n" href="man.rndc.html">Next</a>
 </td>
 </tr>
 <tr>
 <td width="40%" align="left" valign="top">
 <span class="application">named-journalprint</span> </td>
 <td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
 <td width="40%" align="right" valign="top"> <span class="application">rndc</span>
 </td>
 </tr>
 </table>
 </div>
-<p style="text-align: center;">BIND 9.9.7 (Extended Support Version)</p>
+<p style="text-align: center;">BIND 9.9.7-P2 (Extended Support Version)</p>
 </body>
 </html>
Index: stable/9/contrib/bind9/doc/arm/man.rndc-confgen.html
===================================================================
--- stable/9/contrib/bind9/doc/arm/man.rndc-confgen.html	(revision 286123)
+++ stable/9/contrib/bind9/doc/arm/man.rndc-confgen.html	(revision 286124)
@@ -1,227 +1,227 @@
 <!--
  - Copyright (C) 2004-2015 Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000-2003 Internet Software Consortium.
  - 
  - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
  - copyright notice and this permission notice appear in all copies.
  - 
  - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
  - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
  - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
  - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
  - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 <!-- $Id$ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>rndc-confgen</title>
 <meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
 <link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
 <link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
 <link rel="prev" href="man.rndc.conf.html" title="rndc.conf">
 <link rel="next" href="man.ddns-confgen.html" title="ddns-confgen">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
 <div class="navheader">
 <table width="100%" summary="Navigation header">
 <tr><th colspan="3" align="center"><span class="application">rndc-confgen</span></th></tr>
 <tr>
 <td width="20%" align="left">
 <a accesskey="p" href="man.rndc.conf.html">Prev</a> </td>
 <th width="60%" align="center">Manual pages</th>
 <td width="20%" align="right"> <a accesskey="n" href="man.ddns-confgen.html">Next</a>
 </td>
 </tr>
 </table>
 <hr>
 </div>
 <div class="refentry" lang="en">
 <a name="man.rndc-confgen"></a><div class="titlepage"></div>
 <div class="refnamediv">
 <h2>Name</h2>
 <p><span class="application">rndc-confgen</span> &#8212; rndc key generation tool</p>
 </div>
 <div class="refsynopsisdiv">
 <h2>Synopsis</h2>
 <div class="cmdsynopsis"><p><code class="command">rndc-confgen</code>  [<code class="option">-a</code>] [<code class="option">-b <em class="replaceable"><code>keysize</code></em></code>] [<code class="option">-c <em class="replaceable"><code>keyfile</code></em></code>] [<code class="option">-h</code>] [<code class="option">-k <em class="replaceable"><code>keyname</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomfile</code></em></code>] [<code class="option">-s <em class="replaceable"><code>address</code></em></code>] [<code class="option">-t <em class="replaceable"><code>chrootdir</code></em></code>] [<code class="option">-u <em class="replaceable"><code>user</code></em></code>]</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2651074"></a><h2>DESCRIPTION</h2>
+<a name="id2654753"></a><h2>DESCRIPTION</h2>
 <p><span><strong class="command">rndc-confgen</strong></span>
       generates configuration files
       for <span><strong class="command">rndc</strong></span>.  It can be used as a
       convenient alternative to writing the
       <code class="filename">rndc.conf</code> file
       and the corresponding <span><strong class="command">controls</strong></span>
       and <span><strong class="command">key</strong></span>
       statements in <code class="filename">named.conf</code> by hand.
       Alternatively, it can be run with the <span><strong class="command">-a</strong></span>
       option to set up a <code class="filename">rndc.key</code> file and
       avoid the need for a <code class="filename">rndc.conf</code> file
       and a <span><strong class="command">controls</strong></span> statement altogether.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2651140"></a><h2>OPTIONS</h2>
+<a name="id2654819"></a><h2>OPTIONS</h2>
 <div class="variablelist"><dl>
 <dt><span class="term">-a</span></dt>
 <dd>
 <p>
             Do automatic <span><strong class="command">rndc</strong></span> configuration.
             This creates a file <code class="filename">rndc.key</code>
             in <code class="filename">/etc</code> (or whatever
             <code class="varname">sysconfdir</code>
             was specified as when <acronym class="acronym">BIND</acronym> was
             built)
             that is read by both <span><strong class="command">rndc</strong></span>
             and <span><strong class="command">named</strong></span> on startup.  The
             <code class="filename">rndc.key</code> file defines a default
             command channel and authentication key allowing
             <span><strong class="command">rndc</strong></span> to communicate with
             <span><strong class="command">named</strong></span> on the local host
             with no further configuration.
           </p>
 <p>
             Running <span><strong class="command">rndc-confgen -a</strong></span> allows
             BIND 9 and <span><strong class="command">rndc</strong></span> to be used as
             drop-in
             replacements for BIND 8 and <span><strong class="command">ndc</strong></span>,
             with no changes to the existing BIND 8
             <code class="filename">named.conf</code> file.
           </p>
 <p>
             If a more elaborate configuration than that
             generated by <span><strong class="command">rndc-confgen -a</strong></span>
             is required, for example if rndc is to be used remotely,
             you should run <span><strong class="command">rndc-confgen</strong></span> without
             the
             <span><strong class="command">-a</strong></span> option and set up a
             <code class="filename">rndc.conf</code> and
             <code class="filename">named.conf</code>
             as directed.
           </p>
 </dd>
 <dt><span class="term">-b <em class="replaceable"><code>keysize</code></em></span></dt>
 <dd><p>
             Specifies the size of the authentication key in bits.
             Must be between 1 and 512 bits; the default is 128.
           </p></dd>
 <dt><span class="term">-c <em class="replaceable"><code>keyfile</code></em></span></dt>
 <dd><p>
             Used with the <span><strong class="command">-a</strong></span> option to specify
             an alternate location for <code class="filename">rndc.key</code>.
           </p></dd>
 <dt><span class="term">-h</span></dt>
 <dd><p>
             Prints a short summary of the options and arguments to
             <span><strong class="command">rndc-confgen</strong></span>.
           </p></dd>
 <dt><span class="term">-k <em class="replaceable"><code>keyname</code></em></span></dt>
 <dd><p>
             Specifies the key name of the rndc authentication key.
             This must be a valid domain name.
             The default is <code class="constant">rndc-key</code>.
           </p></dd>
 <dt><span class="term">-p <em class="replaceable"><code>port</code></em></span></dt>
 <dd><p>
             Specifies the command channel port where <span><strong class="command">named</strong></span>
             listens for connections from <span><strong class="command">rndc</strong></span>.
             The default is 953.
           </p></dd>
 <dt><span class="term">-r <em class="replaceable"><code>randomfile</code></em></span></dt>
 <dd><p>
             Specifies a source of random data for generating the
             authorization.  If the operating
             system does not provide a <code class="filename">/dev/random</code>
             or equivalent device, the default source of randomness
             is keyboard input.  <code class="filename">randomdev</code>
             specifies
             the name of a character device or file containing random
             data to be used instead of the default.  The special value
             <code class="filename">keyboard</code> indicates that keyboard
             input should be used.
           </p></dd>
 <dt><span class="term">-s <em class="replaceable"><code>address</code></em></span></dt>
 <dd><p>
             Specifies the IP address where <span><strong class="command">named</strong></span>
             listens for command channel connections from
             <span><strong class="command">rndc</strong></span>.  The default is the loopback
             address 127.0.0.1.
           </p></dd>
 <dt><span class="term">-t <em class="replaceable"><code>chrootdir</code></em></span></dt>
 <dd><p>
             Used with the <span><strong class="command">-a</strong></span> option to specify
             a directory where <span><strong class="command">named</strong></span> will run
             chrooted.  An additional copy of the <code class="filename">rndc.key</code>
             will be written relative to this directory so that
             it will be found by the chrooted <span><strong class="command">named</strong></span>.
           </p></dd>
 <dt><span class="term">-u <em class="replaceable"><code>user</code></em></span></dt>
 <dd><p>
             Used with the <span><strong class="command">-a</strong></span> option to set the
             owner
             of the <code class="filename">rndc.key</code> file generated.
             If
             <span><strong class="command">-t</strong></span> is also specified only the file
             in
             the chroot area has its owner changed.
           </p></dd>
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2651662"></a><h2>EXAMPLES</h2>
+<a name="id2657526"></a><h2>EXAMPLES</h2>
 <p>
       To allow <span><strong class="command">rndc</strong></span> to be used with
       no manual configuration, run
     </p>
 <p><strong class="userinput"><code>rndc-confgen -a</code></strong>
     </p>
 <p>
       To print a sample <code class="filename">rndc.conf</code> file and
       corresponding <span><strong class="command">controls</strong></span> and <span><strong class="command">key</strong></span>
       statements to be manually inserted into <code class="filename">named.conf</code>,
       run
     </p>
 <p><strong class="userinput"><code>rndc-confgen</code></strong>
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2651719"></a><h2>SEE ALSO</h2>
+<a name="id2659289"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">rndc</span>(8)</span>,
       <span class="citerefentry"><span class="refentrytitle">rndc.conf</span>(5)</span>,
       <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
       <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2659472"></a><h2>AUTHOR</h2>
+<a name="id2660215"></a><h2>AUTHOR</h2>
 <p><span class="corpauthor">Internet Systems Consortium</span>
     </p>
 </div>
 </div>
 <div class="navfooter">
 <hr>
 <table width="100%" summary="Navigation footer">
 <tr>
 <td width="40%" align="left">
 <a accesskey="p" href="man.rndc.conf.html">Prev</a> </td>
 <td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
 <td width="40%" align="right"> <a accesskey="n" href="man.ddns-confgen.html">Next</a>
 </td>
 </tr>
 <tr>
 <td width="40%" align="left" valign="top">
 <code class="filename">rndc.conf</code> </td>
 <td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
 <td width="40%" align="right" valign="top"> <span class="application">ddns-confgen</span>
 </td>
 </tr>
 </table>
 </div>
-<p style="text-align: center;">BIND 9.9.7 (Extended Support Version)</p>
+<p style="text-align: center;">BIND 9.9.7-P2 (Extended Support Version)</p>
 </body>
 </html>
Index: stable/9/contrib/bind9/doc/arm/man.rndc.conf.html
===================================================================
--- stable/9/contrib/bind9/doc/arm/man.rndc.conf.html	(revision 286123)
+++ stable/9/contrib/bind9/doc/arm/man.rndc.conf.html	(revision 286124)
@@ -1,256 +1,256 @@
 <!--
  - Copyright (C) 2004-2015 Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000-2003 Internet Software Consortium.
  - 
  - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
  - copyright notice and this permission notice appear in all copies.
  - 
  - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
  - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
  - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
  - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
  - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 <!-- $Id$ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>rndc.conf</title>
 <meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
 <link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
 <link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
 <link rel="prev" href="man.rndc.html" title="rndc">
 <link rel="next" href="man.rndc-confgen.html" title="rndc-confgen">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
 <div class="navheader">
 <table width="100%" summary="Navigation header">
 <tr><th colspan="3" align="center"><code class="filename">rndc.conf</code></th></tr>
 <tr>
 <td width="20%" align="left">
 <a accesskey="p" href="man.rndc.html">Prev</a> </td>
 <th width="60%" align="center">Manual pages</th>
 <td width="20%" align="right"> <a accesskey="n" href="man.rndc-confgen.html">Next</a>
 </td>
 </tr>
 </table>
 <hr>
 </div>
 <div class="refentry" lang="en">
 <a name="man.rndc.conf"></a><div class="titlepage"></div>
 <div class="refnamediv">
 <h2>Name</h2>
 <p><code class="filename">rndc.conf</code> &#8212; rndc configuration file</p>
 </div>
 <div class="refsynopsisdiv">
 <h2>Synopsis</h2>
 <div class="cmdsynopsis"><p><code class="command">rndc.conf</code> </p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2617883"></a><h2>DESCRIPTION</h2>
+<a name="id2650712"></a><h2>DESCRIPTION</h2>
 <p><code class="filename">rndc.conf</code> is the configuration file
       for <span><strong class="command">rndc</strong></span>, the BIND 9 name server control
       utility.  This file has a similar structure and syntax to
       <code class="filename">named.conf</code>.  Statements are enclosed
       in braces and terminated with a semi-colon.  Clauses in
       the statements are also semi-colon terminated.  The usual
       comment styles are supported:
     </p>
 <p>
       C style: /* */
     </p>
 <p>
       C++ style: // to end of line
     </p>
 <p>
       Unix style: # to end of line
     </p>
 <p><code class="filename">rndc.conf</code> is much simpler than
       <code class="filename">named.conf</code>.  The file uses three
       statements: an options statement, a server statement
       and a key statement.
     </p>
 <p>
       The <code class="option">options</code> statement contains five clauses.
       The <code class="option">default-server</code> clause is followed by the
       name or address of a name server.  This host will be used when
       no name server is given as an argument to
       <span><strong class="command">rndc</strong></span>.  The <code class="option">default-key</code>
       clause is followed by the name of a key which is identified by
       a <code class="option">key</code> statement.  If no
       <code class="option">keyid</code> is provided on the rndc command line,
       and no <code class="option">key</code> clause is found in a matching
       <code class="option">server</code> statement, this default key will be
       used to authenticate the server's commands and responses.  The
       <code class="option">default-port</code> clause is followed by the port
       to connect to on the remote name server.  If no
       <code class="option">port</code> option is provided on the rndc command
       line, and no <code class="option">port</code> clause is found in a
       matching <code class="option">server</code> statement, this default port
       will be used to connect.
       The <code class="option">default-source-address</code> and
       <code class="option">default-source-address-v6</code> clauses which
       can be used to set the IPv4 and IPv6 source addresses
       respectively.
     </p>
 <p>
       After the <code class="option">server</code> keyword, the server
       statement includes a string which is the hostname or address
       for a name server.  The statement has three possible clauses:
       <code class="option">key</code>, <code class="option">port</code> and
       <code class="option">addresses</code>. The key name must match the
       name of a key statement in the file.  The port number
       specifies the port to connect to.  If an <code class="option">addresses</code>
       clause is supplied these addresses will be used instead of
       the server name.  Each address can take an optional port.
       If an <code class="option">source-address</code> or <code class="option">source-address-v6</code>
       of supplied then these will be used to specify the IPv4 and IPv6
       source addresses respectively.
     </p>
 <p>
       The <code class="option">key</code> statement begins with an identifying
       string, the name of the key.  The statement has two clauses.
       <code class="option">algorithm</code> identifies the encryption algorithm
       for <span><strong class="command">rndc</strong></span> to use; currently only HMAC-MD5
       is
       supported.  This is followed by a secret clause which contains
       the base-64 encoding of the algorithm's encryption key.  The
       base-64 string is enclosed in double quotes.
     </p>
 <p>
       There are two common ways to generate the base-64 string for the
       secret.  The BIND 9 program <span><strong class="command">rndc-confgen</strong></span>
       can
       be used to generate a random key, or the
       <span><strong class="command">mmencode</strong></span> program, also known as
       <span><strong class="command">mimencode</strong></span>, can be used to generate a
       base-64
       string from known input.  <span><strong class="command">mmencode</strong></span> does
       not
       ship with BIND 9 but is available on many systems.  See the
       EXAMPLE section for sample command lines for each.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2650345"></a><h2>EXAMPLE</h2>
+<a name="id2651089"></a><h2>EXAMPLE</h2>
 <pre class="programlisting">
       options {
         default-server  localhost;
         default-key     samplekey;
       };
 </pre>
 <p>
     </p>
 <pre class="programlisting">
       server localhost {
         key             samplekey;
       };
 </pre>
 <p>
     </p>
 <pre class="programlisting">
       server testserver {
         key		testkey;
         addresses	{ localhost port 5353; };
       };
 </pre>
 <p>
     </p>
 <pre class="programlisting">
       key samplekey {
         algorithm       hmac-md5;
         secret          "6FMfj43Osz4lyb24OIe2iGEz9lf1llJO+lz";
       };
 </pre>
 <p>
     </p>
 <pre class="programlisting">
       key testkey {
         algorithm	hmac-md5;
         secret		"R3HI8P6BKw9ZwXwN3VZKuQ==";
       };
     </pre>
 <p>
     </p>
 <p>
       In the above example, <span><strong class="command">rndc</strong></span> will by
       default use
       the server at localhost (127.0.0.1) and the key called samplekey.
       Commands to the localhost server will use the samplekey key, which
       must also be defined in the server's configuration file with the
       same name and secret.  The key statement indicates that samplekey
       uses the HMAC-MD5 algorithm and its secret clause contains the
       base-64 encoding of the HMAC-MD5 secret enclosed in double quotes.
     </p>
 <p>
       If <span><strong class="command">rndc -s testserver</strong></span> is used then <span><strong class="command">rndc</strong></span> will
       connect to server on localhost port 5353 using the key testkey.
     </p>
 <p>
       To generate a random secret with <span><strong class="command">rndc-confgen</strong></span>:
     </p>
 <p><strong class="userinput"><code>rndc-confgen</code></strong>
     </p>
 <p>
       A complete <code class="filename">rndc.conf</code> file, including
       the
       randomly generated key, will be written to the standard
       output.  Commented-out <code class="option">key</code> and
       <code class="option">controls</code> statements for
       <code class="filename">named.conf</code> are also printed.
     </p>
 <p>
       To generate a base-64 secret with <span><strong class="command">mmencode</strong></span>:
     </p>
 <p><strong class="userinput"><code>echo "known plaintext for a secret" | mmencode</code></strong>
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2650876"></a><h2>NAME SERVER CONFIGURATION</h2>
+<a name="id2651210"></a><h2>NAME SERVER CONFIGURATION</h2>
 <p>
       The name server must be configured to accept rndc connections and
       to recognize the key specified in the <code class="filename">rndc.conf</code>
       file, using the controls statement in <code class="filename">named.conf</code>.
       See the sections on the <code class="option">controls</code> statement in the
       BIND 9 Administrator Reference Manual for details.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2650902"></a><h2>SEE ALSO</h2>
+<a name="id2651236"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">rndc</span>(8)</span>,
       <span class="citerefentry"><span class="refentrytitle">rndc-confgen</span>(8)</span>,
       <span class="citerefentry"><span class="refentrytitle">mmencode</span>(1)</span>,
       <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2650940"></a><h2>AUTHOR</h2>
+<a name="id2651274"></a><h2>AUTHOR</h2>
 <p><span class="corpauthor">Internet Systems Consortium</span>
     </p>
 </div>
 </div>
 <div class="navfooter">
 <hr>
 <table width="100%" summary="Navigation footer">
 <tr>
 <td width="40%" align="left">
 <a accesskey="p" href="man.rndc.html">Prev</a> </td>
 <td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
 <td width="40%" align="right"> <a accesskey="n" href="man.rndc-confgen.html">Next</a>
 </td>
 </tr>
 <tr>
 <td width="40%" align="left" valign="top">
 <span class="application">rndc</span> </td>
 <td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
 <td width="40%" align="right" valign="top"> <span class="application">rndc-confgen</span>
 </td>
 </tr>
 </table>
 </div>
-<p style="text-align: center;">BIND 9.9.7 (Extended Support Version)</p>
+<p style="text-align: center;">BIND 9.9.7-P2 (Extended Support Version)</p>
 </body>
 </html>
Index: stable/9/contrib/bind9/doc/arm/man.rndc.html
===================================================================
--- stable/9/contrib/bind9/doc/arm/man.rndc.html	(revision 286123)
+++ stable/9/contrib/bind9/doc/arm/man.rndc.html	(revision 286124)
@@ -1,547 +1,547 @@
 <!--
  - Copyright (C) 2004-2015 Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000-2003 Internet Software Consortium.
  - 
  - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
  - copyright notice and this permission notice appear in all copies.
  - 
  - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
  - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
  - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
  - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
  - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 <!-- $Id$ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>rndc</title>
 <meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
 <link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
 <link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
 <link rel="prev" href="man.nsupdate.html" title="nsupdate">
 <link rel="next" href="man.rndc.conf.html" title="rndc.conf">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
 <div class="navheader">
 <table width="100%" summary="Navigation header">
 <tr><th colspan="3" align="center"><span class="application">rndc</span></th></tr>
 <tr>
 <td width="20%" align="left">
 <a accesskey="p" href="man.nsupdate.html">Prev</a> </td>
 <th width="60%" align="center">Manual pages</th>
 <td width="20%" align="right"> <a accesskey="n" href="man.rndc.conf.html">Next</a>
 </td>
 </tr>
 </table>
 <hr>
 </div>
 <div class="refentry" lang="en">
 <a name="man.rndc"></a><div class="titlepage"></div>
 <div class="refnamediv">
 <h2>Name</h2>
 <p><span class="application">rndc</span> &#8212; name server control utility</p>
 </div>
 <div class="refsynopsisdiv">
 <h2>Synopsis</h2>
 <div class="cmdsynopsis"><p><code class="command">rndc</code>  [<code class="option">-b <em class="replaceable"><code>source-address</code></em></code>] [<code class="option">-c <em class="replaceable"><code>config-file</code></em></code>] [<code class="option">-k <em class="replaceable"><code>key-file</code></em></code>] [<code class="option">-s <em class="replaceable"><code>server</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port</code></em></code>] [<code class="option">-V</code>] [<code class="option">-y <em class="replaceable"><code>key_id</code></em></code>] {command}</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2645298"></a><h2>DESCRIPTION</h2>
+<a name="id2644881"></a><h2>DESCRIPTION</h2>
 <p><span><strong class="command">rndc</strong></span>
       controls the operation of a name
       server.  It supersedes the <span><strong class="command">ndc</strong></span> utility
       that was provided in old BIND releases.  If
       <span><strong class="command">rndc</strong></span> is invoked with no command line
       options or arguments, it prints a short summary of the
       supported commands and the available options and their
       arguments.
     </p>
 <p><span><strong class="command">rndc</strong></span>
       communicates with the name server
       over a TCP connection, sending commands authenticated with
       digital signatures.  In the current versions of
       <span><strong class="command">rndc</strong></span> and <span><strong class="command">named</strong></span>,
       the only supported authentication algorithm is HMAC-MD5,
       which uses a shared secret on each end of the connection.
       This provides TSIG-style authentication for the command
       request and the name server's response.  All commands sent
       over the channel must be signed by a key_id known to the
       server.
     </p>
 <p><span><strong class="command">rndc</strong></span>
       reads a configuration file to
       determine how to contact the name server and decide what
       algorithm and key it should use.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2645348"></a><h2>OPTIONS</h2>
+<a name="id2644931"></a><h2>OPTIONS</h2>
 <div class="variablelist"><dl>
 <dt><span class="term">-b <em class="replaceable"><code>source-address</code></em></span></dt>
 <dd><p>
             Use <em class="replaceable"><code>source-address</code></em>
             as the source address for the connection to the server.
             Multiple instances are permitted to allow setting of both
             the IPv4 and IPv6 source addresses.
           </p></dd>
 <dt><span class="term">-c <em class="replaceable"><code>config-file</code></em></span></dt>
 <dd><p>
             Use <em class="replaceable"><code>config-file</code></em>
             as the configuration file instead of the default,
             <code class="filename">/etc/rndc.conf</code>.
           </p></dd>
 <dt><span class="term">-k <em class="replaceable"><code>key-file</code></em></span></dt>
 <dd><p>
             Use <em class="replaceable"><code>key-file</code></em>
             as the key file instead of the default,
             <code class="filename">/etc/rndc.key</code>.  The key in
             <code class="filename">/etc/rndc.key</code> will be used to
             authenticate
             commands sent to the server if the <em class="replaceable"><code>config-file</code></em>
             does not exist.
           </p></dd>
 <dt><span class="term">-s <em class="replaceable"><code>server</code></em></span></dt>
 <dd><p><em class="replaceable"><code>server</code></em> is
             the name or address of the server which matches a
             server statement in the configuration file for
             <span><strong class="command">rndc</strong></span>.  If no server is supplied on the
             command line, the host named by the default-server clause
             in the options statement of the <span><strong class="command">rndc</strong></span>
 	    configuration file will be used.
           </p></dd>
 <dt><span class="term">-p <em class="replaceable"><code>port</code></em></span></dt>
 <dd><p>
             Send commands to TCP port
             <em class="replaceable"><code>port</code></em>
             instead
             of BIND 9's default control channel port, 953.
           </p></dd>
 <dt><span class="term">-V</span></dt>
 <dd><p>
             Enable verbose logging.
           </p></dd>
 <dt><span class="term">-y <em class="replaceable"><code>key_id</code></em></span></dt>
 <dd><p>
             Use the key <em class="replaceable"><code>key_id</code></em>
             from the configuration file.
             <em class="replaceable"><code>key_id</code></em>
             must be
             known by named with the same algorithm and secret string
             in order for control message validation to succeed.
             If no <em class="replaceable"><code>key_id</code></em>
             is specified, <span><strong class="command">rndc</strong></span> will first look
             for a key clause in the server statement of the server
             being used, or if no server statement is present for that
             host, then the default-key clause of the options statement.
             Note that the configuration file contains shared secrets
             which are used to send authenticated control commands
             to name servers.  It should therefore not have general read
             or write access.
           </p></dd>
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2645966"></a><h2>COMMANDS</h2>
+<a name="id2648690"></a><h2>COMMANDS</h2>
 <p>
       A list of commands supported by <span><strong class="command">rndc</strong></span> can
       be seen by running <span><strong class="command">rndc</strong></span> without arguments.
     </p>
 <p>
       Currently supported commands are:
     </p>
 <div class="variablelist"><dl>
 <dt><span class="term"><strong class="userinput"><code>reload</code></strong></span></dt>
 <dd><p>
             Reload configuration file and zones.
           </p></dd>
 <dt><span class="term"><strong class="userinput"><code>reload <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
 <dd><p>
             Reload the given zone.
           </p></dd>
 <dt><span class="term"><strong class="userinput"><code>refresh <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
 <dd><p>
             Schedule zone maintenance for the given zone.
           </p></dd>
 <dt><span class="term"><strong class="userinput"><code>retransfer <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
 <dd>
 <p>
             Retransfer the given slave zone from the master server.
           </p>
 <p>
             If the zone is configured to use
             <span><strong class="command">inline-signing</strong></span>, the signed
             version of the zone is discarded; after the
             retransfer of the unsigned version is complete, the
             signed version will be regenerated with all new
             signatures.
           </p>
 </dd>
 <dt><span class="term"><strong class="userinput"><code>sign <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
 <dd>
 <p>
             Fetch all DNSSEC keys for the given zone
             from the key directory (see the 
             <span><strong class="command">key-directory</strong></span> option in
             the BIND 9 Administrator Reference Manual).  If they are within
             their publication period, merge them into the
             zone's DNSKEY RRset.  If the DNSKEY RRset
             is changed, then the zone is automatically
             re-signed with the new key set.
           </p>
 <p>
             This command requires that the
             <span><strong class="command">auto-dnssec</strong></span> zone option be set
             to <code class="literal">allow</code> or
             <code class="literal">maintain</code>,
             and also requires the zone to be configured to
             allow dynamic DNS.
             (See "Dynamic Update Policies" in the Administrator
             Reference Manual for more details.)
           </p>
 </dd>
 <dt><span class="term"><strong class="userinput"><code>loadkeys <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
 <dd>
 <p>
             Fetch all DNSSEC keys for the given zone
             from the key directory.  If they are within
             their publication period, merge them into the
             zone's DNSKEY RRset.  Unlike <span><strong class="command">rndc
             sign</strong></span>, however, the zone is not
             immediately re-signed by the new keys, but is
             allowed to incrementally re-sign over time.
           </p>
 <p>
             This command requires that the
             <span><strong class="command">auto-dnssec</strong></span> zone option
             be set to <code class="literal">maintain</code>,
             and also requires the zone to be configured to
             allow dynamic DNS.
             (See "Dynamic Update Policies" in the Administrator
             Reference Manual for more details.)
           </p>
 </dd>
 <dt><span class="term"><strong class="userinput"><code>freeze [<span class="optional"><em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</span>]</code></strong></span></dt>
 <dd><p>
             Suspend updates to a dynamic zone.  If no zone is
             specified, then all zones are suspended.  This allows
             manual edits to be made to a zone normally updated by
             dynamic update.  It also causes changes in the
             journal file to be synced into the master file.
             All dynamic update attempts will be refused while
             the zone is frozen.
           </p></dd>
 <dt><span class="term"><strong class="userinput"><code>thaw [<span class="optional"><em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</span>]</code></strong></span></dt>
 <dd><p>
             Enable updates to a frozen dynamic zone.  If no
             zone is specified, then all frozen zones are
             enabled.  This causes the server to reload the zone
             from disk, and re-enables dynamic updates after the
             load has completed.  After a zone is thawed,
             dynamic updates will no longer be refused.  If
             the zone has changed and the
             <span><strong class="command">ixfr-from-differences</strong></span> option is
             in use, then the journal file will be updated to
             reflect changes in the zone.  Otherwise, if the
             zone has changed, any existing journal file will be
             removed.
           </p></dd>
 <dt><span class="term"><strong class="userinput"><code>sync [<span class="optional">-clean</span>] [<span class="optional"><em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</span>]</code></strong></span></dt>
 <dd><p>
             Sync changes in the journal file for a dynamic zone
             to the master file.  If the "-clean" option is
             specified, the journal file is also removed.  If
             no zone is specified, then all zones are synced.
           </p></dd>
 <dt><span class="term"><strong class="userinput"><code>notify <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
 <dd><p>
             Resend NOTIFY messages for the zone.
           </p></dd>
 <dt><span class="term"><strong class="userinput"><code>reconfig</code></strong></span></dt>
 <dd><p>
             Reload the configuration file and load new zones,
             but do not reload existing zone files even if they
             have changed.
             This is faster than a full <span><strong class="command">reload</strong></span> when there
             is a large number of zones because it avoids the need
             to examine the
             modification times of the zones files.
           </p></dd>
 <dt><span class="term"><strong class="userinput"><code>stats</code></strong></span></dt>
 <dd><p>
             Write server statistics to the statistics file.
           </p></dd>
 <dt><span class="term"><strong class="userinput"><code>querylog</code></strong> [<span class="optional">on|off</span>] </span></dt>
 <dd>
 <p>
             Enable or disable query logging.  (For backward
             compatibility, this command can also be used without
             an argument to toggle query logging on and off.)
           </p>
 <p>
             Query logging can also be enabled
             by explicitly directing the <span><strong class="command">queries</strong></span>
             <span><strong class="command">category</strong></span> to a
             <span><strong class="command">channel</strong></span> in the
             <span><strong class="command">logging</strong></span> section of
             <code class="filename">named.conf</code> or by specifying
             <span><strong class="command">querylog yes;</strong></span> in the
             <span><strong class="command">options</strong></span> section of
             <code class="filename">named.conf</code>.
           </p>
 </dd>
 <dt><span class="term"><strong class="userinput"><code>dumpdb [<span class="optional">-all|-cache|-zone</span>] [<span class="optional"><em class="replaceable"><code>view ...</code></em></span>]</code></strong></span></dt>
 <dd><p>
             Dump the server's caches (default) and/or zones to
             the
             dump file for the specified views.  If no view is
             specified, all
             views are dumped.
           </p></dd>
 <dt><span class="term"><strong class="userinput"><code>secroots [<span class="optional"><em class="replaceable"><code>view ...</code></em></span>]</code></strong></span></dt>
 <dd><p>
             Dump the server's security roots to the secroots
             file for the specified views.  If no view is
             specified, security roots for all
             views are dumped.
           </p></dd>
 <dt><span class="term"><strong class="userinput"><code>stop [<span class="optional">-p</span>]</code></strong></span></dt>
 <dd><p>
             Stop the server, making sure any recent changes
             made through dynamic update or IXFR are first saved to
             the master files of the updated zones.
             If <code class="option">-p</code> is specified <span><strong class="command">named</strong></span>'s process id is returned.
             This allows an external process to determine when <span><strong class="command">named</strong></span>
             had completed stopping.
           </p></dd>
 <dt><span class="term"><strong class="userinput"><code>halt [<span class="optional">-p</span>]</code></strong></span></dt>
 <dd><p>
             Stop the server immediately.  Recent changes
             made through dynamic update or IXFR are not saved to
             the master files, but will be rolled forward from the
             journal files when the server is restarted.
             If <code class="option">-p</code> is specified <span><strong class="command">named</strong></span>'s process id is returned.
             This allows an external process to determine when <span><strong class="command">named</strong></span>
             had completed halting.
           </p></dd>
 <dt><span class="term"><strong class="userinput"><code>trace</code></strong></span></dt>
 <dd><p>
             Increment the servers debugging level by one.
           </p></dd>
 <dt><span class="term"><strong class="userinput"><code>trace <em class="replaceable"><code>level</code></em></code></strong></span></dt>
 <dd><p>
             Sets the server's debugging level to an explicit
             value.
           </p></dd>
 <dt><span class="term"><strong class="userinput"><code>notrace</code></strong></span></dt>
 <dd><p>
             Sets the server's debugging level to 0.
           </p></dd>
 <dt><span class="term"><strong class="userinput"><code>flush</code></strong></span></dt>
 <dd><p>
             Flushes the server's cache.
           </p></dd>
 <dt><span class="term"><strong class="userinput"><code>flushname</code></strong> <em class="replaceable"><code>name</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>] </span></dt>
 <dd><p>
             Flushes the given name from the server's DNS cache
             and, if applicable, from the server's nameserver address
             database or bad-server cache.
           </p></dd>
 <dt><span class="term"><strong class="userinput"><code>flushtree</code></strong> <em class="replaceable"><code>name</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>] </span></dt>
 <dd><p>
             Flushes the given name, and all of its subdomains,
             from the server's DNS cache.  Note that this does
             <span class="emphasis"><em>not</em></span> affect he server's address
             database or bad-server cache.
           </p></dd>
 <dt><span class="term"><strong class="userinput"><code>status</code></strong></span></dt>
 <dd><p>
             Display status of the server.
             Note that the number of zones includes the internal <span><strong class="command">bind/CH</strong></span> zone
             and the default <span><strong class="command">./IN</strong></span>
             hint zone if there is not an
             explicit root zone configured.
           </p></dd>
 <dt><span class="term"><strong class="userinput"><code>recursing</code></strong></span></dt>
 <dd><p>
             Dump the list of queries <span><strong class="command">named</strong></span> is currently recursing
             on.
           </p></dd>
 <dt><span class="term"><strong class="userinput"><code>validation ( on | off | check ) [<span class="optional"><em class="replaceable"><code>view ...</code></em></span>] </code></strong></span></dt>
 <dd><p>
             Enable, disable, or check the current status of
             DNSSEC validation.
             Note <span><strong class="command">dnssec-enable</strong></span> also needs to be
             set to <strong class="userinput"><code>yes</code></strong> or
             <strong class="userinput"><code>auto</code></strong> to be effective.
             It defaults to enabled.
           </p></dd>
 <dt><span class="term"><strong class="userinput"><code>tsig-list</code></strong></span></dt>
 <dd><p>
             List the names of all TSIG keys currently configured
             for use by <span><strong class="command">named</strong></span> in each view.  The
             list both statically configured keys and dynamic
             TKEY-negotiated keys.
           </p></dd>
 <dt><span class="term"><strong class="userinput"><code>tsig-delete</code></strong> <em class="replaceable"><code>keyname</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span></dt>
 <dd><p>
             Delete a given TKEY-negotiated key from the server.
             (This does not apply to statically configured TSIG
             keys.)
           </p></dd>
 <dt><span class="term"><strong class="userinput"><code>addzone <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>] <em class="replaceable"><code>configuration</code></em> </code></strong></span></dt>
 <dd>
 <p>
             Add a zone while the server is running.  This
             command requires the
             <span><strong class="command">allow-new-zones</strong></span> option to be set
             to <strong class="userinput"><code>yes</code></strong>.  The
             <em class="replaceable"><code>configuration</code></em> string
             specified on the command line is the zone
             configuration text that would ordinarily be
             placed in <code class="filename">named.conf</code>.
           </p>
 <p>
             The configuration is saved in a file called
            <code class="filename"><em class="replaceable"><code>hash</code></em>.nzf</code>,
             where <em class="replaceable"><code>hash</code></em> is a
             cryptographic hash generated from the name of
             the view.  When <span><strong class="command">named</strong></span> is
             restarted, the file will be loaded into the view
             configuration, so that zones that were added
             can persist after a restart.
           </p>
 <p>
             This sample <span><strong class="command">addzone</strong></span> command
             would add the zone <code class="literal">example.com</code>
             to the default view:
           </p>
 <p>
 <code class="prompt">$ </code><strong class="userinput"><code>rndc addzone example.com '{ type master; file "example.com.db"; };'</code></strong>
           </p>
 <p>
             (Note the brackets and semi-colon around the zone
             configuration text.)
           </p>
 </dd>
 <dt><span class="term"><strong class="userinput"><code>delzone <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>] </code></strong></span></dt>
 <dd><p>
             Delete a zone while the server is running.
             Only zones that were originally added via
             <span><strong class="command">rndc addzone</strong></span> can be deleted
             in this manner. 
           </p></dd>
 <dt><span class="term"><strong class="userinput"><code>signing [<span class="optional">( -list | -clear <em class="replaceable"><code>keyid/algorithm</code></em> | -clear <code class="literal">all</code> | -nsec3param ( <em class="replaceable"><code>parameters</code></em> | <code class="literal">none</code> ) ) </span>] <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>] </code></strong></span></dt>
 <dd>
 <p>
             List, edit, or remove the DNSSEC signing state records
             for the specified zone.  The status of ongoing DNSSEC
             operations (such as signing or generating
             NSEC3 chains) is stored in the zone in the form
             of DNS resource records of type
             <span><strong class="command">sig-signing-type</strong></span>. 
             <span><strong class="command">rndc signing -list</strong></span> converts
             these records into a human-readable form,
             indicating which keys are currently signing
             or have finished signing the zone, and which NSEC3
             chains are being created or removed.
           </p>
 <p>
             <span><strong class="command">rndc signing -clear</strong></span> can remove
             a single key (specified in the same format that
             <span><strong class="command">rndc signing -list</strong></span> uses to
             display it), or all keys.  In either case, only
             completed keys are removed; any record indicating
             that a key has not yet finished signing the zone
             will be retained.
           </p>
 <p>
             <span><strong class="command">rndc signing -nsec3param</strong></span> sets
             the NSEC3 parameters for a zone.  This is the
             only supported mechanism for using NSEC3 with
             <span><strong class="command">inline-signing</strong></span> zones.
             Parameters are specified in the same format as
             an NSEC3PARAM resource record: hash algorithm,
             flags, iterations, and salt, in that order.
           </p>
 <p>
             Currently, the only defined value for hash algorithm 
             is <code class="literal">1</code>, representing SHA-1.
             The <code class="option">flags</code> may be set to
             <code class="literal">0</code> or <code class="literal">1</code>,
             depending on whether you wish to set the opt-out
             bit in the NSEC3 chain.  <code class="option">iterations</code>
             defines the number of additional times to apply
             the algorithm when generating an NSEC3 hash.  The
             <code class="option">salt</code> is a string of data expressed
             in hexadecimal, or a hyphen (`-') if no salt is
             to be used.
           </p>
 <p>
             So, for example, to create an NSEC3 chain using
             the SHA-1 hash algorithm, no opt-out flag,
             10 iterations, and a salt value of "FFFF", use:
             <span><strong class="command">rndc signing -nsec3param 1 0 10 FFFF <em class="replaceable"><code>zone</code></em></strong></span>.
             To set the opt-out flag, 15 iterations, and no
             salt, use:
             <span><strong class="command">rndc signing -nsec3param 1 1 15 - <em class="replaceable"><code>zone</code></em></strong></span>.
           </p>
 <p>
             <span><strong class="command">rndc signing -nsec3param none</strong></span>
             removes an existing NSEC3 chain and replaces it
             with NSEC.
           </p>
 </dd>
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2683116"></a><h2>LIMITATIONS</h2>
+<a name="id2682631"></a><h2>LIMITATIONS</h2>
 <p>
       There is currently no way to provide the shared secret for a
       <code class="option">key_id</code> without using the configuration file.
     </p>
 <p>
       Several error messages could be clearer.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2683134"></a><h2>SEE ALSO</h2>
+<a name="id2682649"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">rndc.conf</span>(5)</span>,
       <span class="citerefentry"><span class="refentrytitle">rndc-confgen</span>(8)</span>,
       <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
       <span class="citerefentry"><span class="refentrytitle">named.conf</span>(5)</span>,
       <span class="citerefentry"><span class="refentrytitle">ndc</span>(8)</span>,
       <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2683190"></a><h2>AUTHOR</h2>
+<a name="id2682705"></a><h2>AUTHOR</h2>
 <p><span class="corpauthor">Internet Systems Consortium</span>
     </p>
 </div>
 </div>
 <div class="navfooter">
 <hr>
 <table width="100%" summary="Navigation footer">
 <tr>
 <td width="40%" align="left">
 <a accesskey="p" href="man.nsupdate.html">Prev</a> </td>
 <td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
 <td width="40%" align="right"> <a accesskey="n" href="man.rndc.conf.html">Next</a>
 </td>
 </tr>
 <tr>
 <td width="40%" align="left" valign="top">
 <span class="application">nsupdate</span> </td>
 <td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
 <td width="40%" align="right" valign="top"> <code class="filename">rndc.conf</code>
 </td>
 </tr>
 </table>
 </div>
-<p style="text-align: center;">BIND 9.9.7 (Extended Support Version)</p>
+<p style="text-align: center;">BIND 9.9.7-P2 (Extended Support Version)</p>
 </body>
 </html>
Index: stable/9/contrib/bind9/doc/arm/notes.html
===================================================================
--- stable/9/contrib/bind9/doc/arm/notes.html	(revision 286123)
+++ stable/9/contrib/bind9/doc/arm/notes.html	(revision 286124)
@@ -1,255 +1,110 @@
 <!--
  - 
  - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
  - copyright notice and this permission notice appear in all copies.
  - 
  - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
  - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
  - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
  - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
  - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 <!-- $Id$ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title></title>
 <meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="article" lang="en"><div class="sect1" lang="en">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2542126"></a>Release Notes for BIND Version 9.9.7</h2></div></div></div>
+<a name="id2542126"></a>Release Notes for BIND Version 9.9.7-P2</h2></div></div></div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes_intro"></a>Introduction</h3></div></div></div>
 <p>
-      This document summarizes changes since the last production release
-      of BIND on the corresponding major release branch.
+      This document summarizes changes since BIND 9.9.7.
     </p>
+<p>
+      BIND 9.9.7-P2 addresses a security issue described in CVE-2015-5477.
+    </p>
+<p>
+      BIND 9.9.7-P1 addresses a security issue described in CVE-2015-4620.
+    </p>
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes_download"></a>Download</h3></div></div></div>
 <p>
       The latest versions of BIND 9 software can always be found at
       <a href="http://www.isc.org/downloads/" target="_top">http://www.isc.org/downloads/</a>.
       There you will find additional information about each release,
       source code, and pre-compiled versions for Microsoft Windows
       operating systems.
     </p>
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes_security"></a>Security Fixes</h3></div></div></div>
 <div class="itemizedlist"><ul type="disc">
 <li>
 <p>
-	  On servers configured to perform DNSSEC validation using
-	  managed trust anchors (i.e., keys configured explicitly
-	  via <span><strong class="command">managed-keys</strong></span>, or implicitly 
-	  via <span><strong class="command">dnssec-validation auto;</strong></span> or
-	  <span><strong class="command">dnssec-lookaside auto;</strong></span>), revoking
-	  a trust anchor and sending a new untrusted replacement
-	  could cause <span><strong class="command">named</strong></span> to crash with an
-	  assertion failure. This could occur in the event of a
-	  botched key rollover, or potentially as a result of a
-	  deliberate attack if the attacker was in position to
-	  monitor the victim's DNS traffic.
+	  A specially crafted query could trigger an assertion failure
+	  in message.c.
 	</p>
 <p>
-	  This flaw was discovered by Jan-Piet Mens, and is
-	  disclosed in CVE-2015-1349. [RT #38344]
+	  This flaw was discovered by Jonathan Foote, and is disclosed
+	  in CVE-2015-5477. [RT #39795]
 	</p>
 </li>
 <li>
 <p>
-	  A flaw in delegation handling could be exploited to put
-	  <span><strong class="command">named</strong></span> into an infinite loop, in which
-	  each lookup of a name server triggered additional lookups
-	  of more name servers.  This has been addressed by placing
-	  limits on the number of levels of recursion
-	  <span><strong class="command">named</strong></span> will allow (default 7), and
-	  on the number of queries that it will send before
-	  terminating a recursive query (default 50).
+	  On servers configured to perform DNSSEC validation, an
+	  assertion failure could be triggered on answers from
+	  a specially configured server.
 	</p>
 <p>
-	  The recursion depth limit is configured via the
-	  <code class="option">max-recursion-depth</code> option, and the query limit
-	  via the <code class="option">max-recursion-queries</code> option.
+	  This flaw was discovered by Breno Silveira Soares, and is
+	  disclosed in CVE-2015-4620. [RT #39795]
 	</p>
-<p>
-	  The flaw was discovered by Florian Maury of ANSSI, and is
-	  disclosed in CVE-2014-8500. [RT #37580]
-	</p>
 </li>
 </ul></div>
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes_features"></a>New Features</h3></div></div></div>
 <div class="itemizedlist"><ul type="disc"><li><p>None</p></li></ul></div>
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes_changes"></a>Feature Changes</h3></div></div></div>
-<div class="itemizedlist"><ul type="disc">
-<li><p>
-          NXDOMAIN responses to queries of type DS are now cached separately
-          from those for other types. This helps when using "grafted" zones
-          of type forward, for which the parent zone does not contain a
-          delegation, such as local top-level domains.  Previously a query
-          of type DS for such a zone could cause the zone apex to be cached
-          as NXDOMAIN, blocking all subsequent queries.  (Note: This
-          change is only helpful when DNSSEC validation is not enabled.
-          "Grafted" zones without a delegation in the parent are not a
-          recommended configuration.)
-        </p></li>
-<li><p>
-          NOTIFY messages that are sent because a zone has been updated
-          are now given priority above NOTIFY messages that were scheduled
-          when the server started up. This should mitigate delays in zone
-          propagation when servers are restarted frequently.
-        </p></li>
-<li><p>
-          Errors reported when running <span><strong class="command">rndc addzone</strong></span>
-          (e.g., when a zone file cannot be loaded) have been clarified
-          to make it easier to diagnose problems.
-        </p></li>
-<li><p>
-	  Added support for OPENPGPKEY type.
-        </p></li>
-<li><p>
-	  When encountering an authoritative name server whose name is
-	  an alias pointing to another name, the resolver treats
-	  this as an error and skips to the next server. Previously
-	  this happened silently; now the error will be logged to
-	  the newly-created "cname" log category.
-	</p></li>
-<li><p>
-	  If named is not configured to validate the answer then
-	  allow fallback to plain DNS on timeout even when we know
-	  the server supports EDNS.  This will allow the server to
-	  potentially resolve signed queries when TCP is being
-	  blocked.
-	</p></li>
-</ul></div>
+<div class="itemizedlist"><ul type="disc"><li><p>None</p></li></ul></div>
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes_bugs"></a>Bug Fixes</h3></div></div></div>
-<div class="itemizedlist"><ul type="disc">
-<li><p>
-	  <span><strong class="command">dig</strong></span>, <span><strong class="command">host</strong></span> and
-	  <span><strong class="command">nslookup</strong></span> aborted when encountering
-	  a name which, after appending search list elements,
-	  exceeded 255 bytes. Such names are now skipped, but
-	  processing of other names will continue. [RT #36892]
-        </p></li>
-<li><p>
-	  The error message generated when
-	  <span><strong class="command">named-checkzone</strong></span> or
-	  <span><strong class="command">named-checkconf -z</strong></span> encounters a
-	  <code class="option">$TTL</code> directive without a value has
-	  been clarified. [RT #37138]
-        </p></li>
-<li><p>
-	  Semicolon characters (;) included in TXT records were
-	  incorrectly escaped with a backslash when the record was
-	  displayed as text. This is actually only necessary when there
-	  are no quotation marks. [RT #37159]
-        </p></li>
-<li><p>
-	  When files opened for writing by <span><strong class="command">named</strong></span>,
-	  such as zone journal files, were referenced more than once
-	  in <code class="filename">named.conf</code>, it could lead to file
-	  corruption as multiple threads wrote to the same file. This
-	  is now detected when loading <code class="filename">named.conf</code>
-	  and reported as an error. [RT #37172]
-        </p></li>
-<li><p>
-          <span><strong class="command">dnssec-keygen -S</strong></span> failed to generate successor
-          keys for some algorithm types (including ECDSA and GOST) due to
-          a difference in the content of private key files. This has been
-          corrected. [RT #37183]
-        </p></li>
-<li><p>
-          UPDATE messages that arrived too soon after
-          an <span><strong class="command">rndc thaw</strong></span> could be lost. [RT #37233]
-        </p></li>
-<li><p>
-          Forwarding of UPDATE messages did not work when they were
-          signed with SIG(0); they resulted in a BADSIG response code.
-          [RT #37216]
-        </p></li>
-<li><p>
-          When checking for updates to trust anchors listed in
-          <code class="option">managed-keys</code>, <span><strong class="command">named</strong></span>
-          now revalidates keys based on the current set of
-          active trust anchors, without relying on any cached
-          record of previous validation. [RT #37506]
-        </p></li>
-<li><p>
-	  When NXDOMAIN redirection is in use, queries for a name
-	  that is present in the redirection zone but a type that
-	  is not present will now return NOERROR instead of NXDOMAIN.
-        </p></li>
-<li><p>
-	  When a zone contained a delegation to an IPv6 name server
-	  but not an IPv4 name server, it was possible for a memory
-	  reference to be left un-freed. This caused an assertion
-	  failure on server shutdown, but was otherwise harmless.
-	  [RT #37796]
-        </p></li>
-<li><p>
-	  Due to an inadvertent removal of code in the previous
-	  release, when <span><strong class="command">named</strong></span> encountered an
-	  authoritative name server which dropped all EDNS queries,
-	  it did not always try plain DNS. This has been corrected.
-	  [RT #37965]
-        </p></li>
-<li><p>
-	  A regression caused nsupdate to use the default recursive servers
-	  rather than the SOA MNAME server when sending the UPDATE.
-        </p></li>
-<li><p>
-	  Adjusted max-recursion-queries to better accommodate empty
-	  caches.
-        </p></li>
-<li><p>
-	  Built-in "empty" zones did not correctly inherit the
-	  "allow-transfer" ACL from the options or view. [RT #38310]
-        </p></li>
-<li><p>
-	  A mutex leak was fixed that could cause <span><strong class="command">named</strong></span>
-	  processes to grow to very large sizes. [RT #38454]
-	</p></li>
-<li><p>
-	  Fixed some bugs in RFC 5011 trust anchor management,
-	  including a memory leak and a possible loss of state
-	  information.[RT #38458]
-	</p></li>
-</ul></div>
+<div class="itemizedlist"><ul type="disc"><li><p>None</p></li></ul></div>
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="end_of_life"></a>End of Life</h3></div></div></div>
 <p>
       The BIND 9.9 (Extended Support Version) will be supported until June, 2017.
       <a href="https://www.isc.org/downloads/software-support-policy/" target="_top">https://www.isc.org/downloads/software-support-policy/</a>
     </p>
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes_thanks"></a>Thank You</h3></div></div></div>
 <p>
       Thank you to everyone who assisted us in making this release possible.
       If you would like to contribute to ISC to assist us in continuing to
       make quality open source software, please visit our donations page at
       <a href="http://www.isc.org/donate/" target="_top">http://www.isc.org/donate/</a>.
     </p>
 </div>
 </div></div></body>
 </html>
Index: stable/9/contrib/bind9/doc/arm/notes.pdf
===================================================================
Cannot display: file marked as a binary type.
svn:mime-type = application/pdf
Index: stable/9/contrib/bind9/doc/arm/notes.xml
===================================================================
--- stable/9/contrib/bind9/doc/arm/notes.xml	(revision 286123)
+++ stable/9/contrib/bind9/doc/arm/notes.xml	(revision 286124)
@@ -1,292 +1,111 @@
 <?xml version="1.0" encoding="utf-8"?>
 <!--
  - Copyright (C) 2014, 2015  Internet Systems Consortium, Inc. ("ISC")
  -
  - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
  - copyright notice and this permission notice appear in all copies.
  -
  - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
  - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
  - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
  - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
  - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
 <sect1 xmlns:xi="http://www.w3.org/2001/XInclude">
   <xi:include href="noteversion.xml"/>
   <sect2 id="relnotes_intro">
     <title>Introduction</title>
     <para>
-      This document summarizes changes since the last production release
-      of BIND on the corresponding major release branch.
+      This document summarizes changes since BIND 9.9.7.
     </para>
+    <para>
+      BIND 9.9.7-P2 addresses a security issue described in CVE-2015-5477.
+    </para>
+    <para>
+      BIND 9.9.7-P1 addresses a security issue described in CVE-2015-4620.
+    </para>
   </sect2>
   <sect2 id="relnotes_download">
     <title>Download</title>
     <para>
       The latest versions of BIND 9 software can always be found at
       <ulink url="http://www.isc.org/downloads/"
 	>http://www.isc.org/downloads/</ulink>.
       There you will find additional information about each release,
       source code, and pre-compiled versions for Microsoft Windows
       operating systems.
     </para>
   </sect2>
   <sect2 id="relnotes_security">
     <title>Security Fixes</title>
     <itemizedlist>
       <listitem>
 	<para>
-	  On servers configured to perform DNSSEC validation using
-	  managed trust anchors (i.e., keys configured explicitly
-	  via <command>managed-keys</command>, or implicitly 
-	  via <command>dnssec-validation auto;</command> or
-	  <command>dnssec-lookaside auto;</command>), revoking
-	  a trust anchor and sending a new untrusted replacement
-	  could cause <command>named</command> to crash with an
-	  assertion failure. This could occur in the event of a
-	  botched key rollover, or potentially as a result of a
-	  deliberate attack if the attacker was in position to
-	  monitor the victim's DNS traffic.
+	  A specially crafted query could trigger an assertion failure
+	  in message.c.
 	</para>
 	<para>
-	  This flaw was discovered by Jan-Piet Mens, and is
-	  disclosed in CVE-2015-1349. [RT #38344]
+	  This flaw was discovered by Jonathan Foote, and is disclosed
+	  in CVE-2015-5477. [RT #39795]
 	</para>
       </listitem>
       <listitem>
 	<para>
-	  A flaw in delegation handling could be exploited to put
-	  <command>named</command> into an infinite loop, in which
-	  each lookup of a name server triggered additional lookups
-	  of more name servers.  This has been addressed by placing
-	  limits on the number of levels of recursion
-	  <command>named</command> will allow (default 7), and
-	  on the number of queries that it will send before
-	  terminating a recursive query (default 50).
+	  On servers configured to perform DNSSEC validation, an
+	  assertion failure could be triggered on answers from
+	  a specially configured server.
 	</para>
 	<para>
-	  The recursion depth limit is configured via the
-	  <option>max-recursion-depth</option> option, and the query limit
-	  via the <option>max-recursion-queries</option> option.
+	  This flaw was discovered by Breno Silveira Soares, and is
+	  disclosed in CVE-2015-4620. [RT #39795]
 	</para>
-	<para>
-	  The flaw was discovered by Florian Maury of ANSSI, and is
-	  disclosed in CVE-2014-8500. [RT #37580]
-	</para>
       </listitem>
     </itemizedlist>
   </sect2>
   <sect2 id="relnotes_features">
     <title>New Features</title>
     <itemizedlist>
       <listitem>
 	<para>None</para>
       </listitem>
     </itemizedlist>
   </sect2>
   <sect2 id="relnotes_changes">
     <title>Feature Changes</title>
     <itemizedlist>
       <listitem>
-        <para>
-          NXDOMAIN responses to queries of type DS are now cached separately
-          from those for other types. This helps when using "grafted" zones
-          of type forward, for which the parent zone does not contain a
-          delegation, such as local top-level domains.  Previously a query
-          of type DS for such a zone could cause the zone apex to be cached
-          as NXDOMAIN, blocking all subsequent queries.  (Note: This
-          change is only helpful when DNSSEC validation is not enabled.
-          "Grafted" zones without a delegation in the parent are not a
-          recommended configuration.)
-        </para>
+	<para>None</para>
       </listitem>
-      <listitem>
-        <para>
-          NOTIFY messages that are sent because a zone has been updated
-          are now given priority above NOTIFY messages that were scheduled
-          when the server started up. This should mitigate delays in zone
-          propagation when servers are restarted frequently.
-        </para>
-      </listitem>
-      <listitem>
-        <para>
-          Errors reported when running <command>rndc addzone</command>
-          (e.g., when a zone file cannot be loaded) have been clarified
-          to make it easier to diagnose problems.
-        </para>
-      </listitem>
-      <listitem>
-	<para>
-	  Added support for OPENPGPKEY type.
-        </para>
-      </listitem>
-      <listitem>
-	<para>
-	  When encountering an authoritative name server whose name is
-	  an alias pointing to another name, the resolver treats
-	  this as an error and skips to the next server. Previously
-	  this happened silently; now the error will be logged to
-	  the newly-created "cname" log category.
-	</para>
-      </listitem>
-      <listitem>
-	<para>
-	  If named is not configured to validate the answer then
-	  allow fallback to plain DNS on timeout even when we know
-	  the server supports EDNS.  This will allow the server to
-	  potentially resolve signed queries when TCP is being
-	  blocked.
-	</para>
-      </listitem>
     </itemizedlist>
   </sect2>
   <sect2 id="relnotes_bugs">
     <title>Bug Fixes</title>
     <itemizedlist>
       <listitem>
-        <para>
-	  <command>dig</command>, <command>host</command> and
-	  <command>nslookup</command> aborted when encountering
-	  a name which, after appending search list elements,
-	  exceeded 255 bytes. Such names are now skipped, but
-	  processing of other names will continue. [RT #36892]
-        </para>
+	<para>None</para>
       </listitem>
-      <listitem>
-        <para>
-	  The error message generated when
-	  <command>named-checkzone</command> or
-	  <command>named-checkconf -z</command> encounters a
-	  <option>$TTL</option> directive without a value has
-	  been clarified. [RT #37138]
-        </para>
-      </listitem>
-      <listitem>
-        <para>
-	  Semicolon characters (;) included in TXT records were
-	  incorrectly escaped with a backslash when the record was
-	  displayed as text. This is actually only necessary when there
-	  are no quotation marks. [RT #37159]
-        </para>
-      </listitem>
-      <listitem>
-        <para>
-	  When files opened for writing by <command>named</command>,
-	  such as zone journal files, were referenced more than once
-	  in <filename>named.conf</filename>, it could lead to file
-	  corruption as multiple threads wrote to the same file. This
-	  is now detected when loading <filename>named.conf</filename>
-	  and reported as an error. [RT #37172]
-        </para>
-      </listitem>
-      <listitem>
-        <para>
-          <command>dnssec-keygen -S</command> failed to generate successor
-          keys for some algorithm types (including ECDSA and GOST) due to
-          a difference in the content of private key files. This has been
-          corrected. [RT #37183]
-        </para>
-      </listitem>
-      <listitem>
-        <para>
-          UPDATE messages that arrived too soon after
-          an <command>rndc thaw</command> could be lost. [RT #37233]
-        </para>
-      </listitem>
-      <listitem>
-        <para>
-          Forwarding of UPDATE messages did not work when they were
-          signed with SIG(0); they resulted in a BADSIG response code.
-          [RT #37216]
-        </para>
-      </listitem>
-      <listitem>
-        <para>
-          When checking for updates to trust anchors listed in
-          <option>managed-keys</option>, <command>named</command>
-          now revalidates keys based on the current set of
-          active trust anchors, without relying on any cached
-          record of previous validation. [RT #37506]
-        </para>
-      </listitem>
-      <listitem>
-        <para>
-	  When NXDOMAIN redirection is in use, queries for a name
-	  that is present in the redirection zone but a type that
-	  is not present will now return NOERROR instead of NXDOMAIN.
-        </para>
-      </listitem>
-      <listitem>
-        <para>
-	  When a zone contained a delegation to an IPv6 name server
-	  but not an IPv4 name server, it was possible for a memory
-	  reference to be left un-freed. This caused an assertion
-	  failure on server shutdown, but was otherwise harmless.
-	  [RT #37796]
-        </para>
-      </listitem>
-      <listitem>
-        <para>
-	  Due to an inadvertent removal of code in the previous
-	  release, when <command>named</command> encountered an
-	  authoritative name server which dropped all EDNS queries,
-	  it did not always try plain DNS. This has been corrected.
-	  [RT #37965]
-        </para>
-      </listitem>
-      <listitem>
-        <para>
-	  A regression caused nsupdate to use the default recursive servers
-	  rather than the SOA MNAME server when sending the UPDATE.
-        </para>
-      </listitem>
-      <listitem>
-        <para>
-	  Adjusted max-recursion-queries to better accommodate empty
-	  caches.
-        </para>
-      </listitem>
-      <listitem>
-        <para>
-	  Built-in "empty" zones did not correctly inherit the
-	  "allow-transfer" ACL from the options or view. [RT #38310]
-        </para>
-      </listitem>
-      <listitem>
-	<para>
-	  A mutex leak was fixed that could cause <command>named</command>
-	  processes to grow to very large sizes. [RT #38454]
-	</para>
-      </listitem>
-      <listitem>
-	<para>
-	  Fixed some bugs in RFC 5011 trust anchor management,
-	  including a memory leak and a possible loss of state
-	  information.[RT #38458]
-	</para>
-      </listitem>
     </itemizedlist>
   </sect2>
   <sect2 id="end_of_life">
     <title>End of Life</title>
     <para>
       The BIND 9.9 (Extended Support Version) will be supported until June, 2017.
       <ulink url="https://www.isc.org/downloads/software-support-policy/"
-        >https://www.isc.org/downloads/software-support-policy/</ulink>
+	>https://www.isc.org/downloads/software-support-policy/</ulink>
     </para>
   </sect2>
   <sect2 id="relnotes_thanks">
     <title>Thank You</title>
     <para>
       Thank you to everyone who assisted us in making this release possible.
       If you would like to contribute to ISC to assist us in continuing to
       make quality open source software, please visit our donations page at
       <ulink url="http://www.isc.org/donate/"
 	>http://www.isc.org/donate/</ulink>.
     </para>
   </sect2>
 </sect1>
Index: stable/9/contrib/bind9/lib/dns/api
===================================================================
--- stable/9/contrib/bind9/lib/dns/api	(revision 286123)
+++ stable/9/contrib/bind9/lib/dns/api	(revision 286124)
@@ -1,9 +1,9 @@
 # LIBINTERFACE ranges
 # 9.6: 50-59, 110-119
 # 9.7: 60-79
 # 9.8: 80-89, 120-129
 # 9.9: 90-109
 # 9.9-sub: 130-139
 LIBINTERFACE = 107
-LIBREVISION = 0
+LIBREVISION = 2
 LIBAGE = 1
Index: stable/9/contrib/bind9/lib/lwres/man/lwres.html
===================================================================
--- stable/9/contrib/bind9/lib/lwres/man/lwres.html	(revision 286123)
+++ stable/9/contrib/bind9/lib/lwres/man/lwres.html	(revision 286124)
@@ -1,218 +1,218 @@
 <!--
  - Copyright (C) 2004, 2005, 2007, 2014 Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000, 2001 Internet Software Consortium.
  - 
  - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
  - copyright notice and this permission notice appear in all copies.
  - 
  - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
  - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
  - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
  - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
  - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 <!-- $Id$ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>lwres</title>
 <meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2476282"></a><div class="titlepage"></div>
+<a name="id2476275"></a><div class="titlepage"></div>
 <div class="refnamediv">
 <h2>Name</h2>
 <p>lwres &#8212; introduction to the lightweight resolver library</p>
 </div>
 <div class="refsynopsisdiv">
 <h2>Synopsis</h2>
 <div class="funcsynopsis"><pre class="funcsynopsisinfo">#include &lt;lwres/lwres.h&gt;</pre></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543360"></a><h2>DESCRIPTION</h2>
+<a name="id2543357"></a><h2>DESCRIPTION</h2>
 <p>
       The BIND 9 lightweight resolver library is a simple, name service
       independent stub resolver library.  It provides hostname-to-address
       and address-to-hostname lookup services to applications by
       transmitting lookup requests to a resolver daemon
       <span><strong class="command">lwresd</strong></span>
       running on the local host. The resolver daemon performs the
       lookup using the DNS or possibly other name service protocols,
       and returns the results to the application through the library.
       The library and resolver daemon communicate using a simple
       UDP-based protocol.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543372"></a><h2>OVERVIEW</h2>
+<a name="id2543370"></a><h2>OVERVIEW</h2>
 <p>
       The lwresd library implements multiple name service APIs.
       The standard
       <code class="function">gethostbyname()</code>,
       <code class="function">gethostbyaddr()</code>,
       <code class="function">gethostbyname_r()</code>,
       <code class="function">gethostbyaddr_r()</code>,
       <code class="function">getaddrinfo()</code>,
       <code class="function">getipnodebyname()</code>,
       and
       <code class="function">getipnodebyaddr()</code>
       functions are all supported.  To allow the lwres library to coexist
       with system libraries that define functions of the same name,
       the library defines these functions with names prefixed by
       <code class="literal">lwres_</code>.
       To define the standard names, applications must include the
       header file
       <code class="filename">&lt;lwres/netdb.h&gt;</code>
       which contains macro definitions mapping the standard function names
       into
       <code class="literal">lwres_</code>
       prefixed ones.  Operating system vendors who integrate the lwres
       library into their base distributions should rename the functions
       in the library proper so that the renaming macros are not needed.
     </p>
 <p>
       The library also provides a native API consisting of the functions
       <code class="function">lwres_getaddrsbyname()</code>
       and
       <code class="function">lwres_getnamebyaddr()</code>.
       These may be called by applications that require more detailed
       control over the lookup process than the standard functions
       provide.
     </p>
 <p>
       In addition to these name service independent address lookup
       functions, the library implements a new, experimental API
       for looking up arbitrary DNS resource records, using the
       <code class="function">lwres_getaddrsbyname()</code>
       function.
     </p>
 <p>
       Finally, there is a low-level API for converting lookup
       requests and responses to and from raw lwres protocol packets.
       This API can be used by clients requiring nonblocking operation,
       and is also used when implementing the server side of the lwres
       protocol, for example in the
       <span><strong class="command">lwresd</strong></span>
       resolver daemon.  The use of this low-level API in clients
       and servers is outlined in the following sections.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543436"></a><h2>CLIENT-SIDE LOW-LEVEL API CALL FLOW</h2>
+<a name="id2543434"></a><h2>CLIENT-SIDE LOW-LEVEL API CALL FLOW</h2>
 <p>
       When a client program wishes to make an lwres request using the
       native low-level API, it typically performs the following
       sequence of actions.
     </p>
 <p>
       (1) Allocate or use an existing <span class="type">lwres_packet_t</span>,
       called <code class="varname">pkt</code> below.
     </p>
 <p>
       (2) Set <em class="structfield"><code>pkt.recvlength</code></em> to the maximum length
       we will accept.
       This is done so the receiver of our packets knows how large our receive
       buffer is.  The "default" is a constant in
       <code class="filename">lwres.h</code>: <code class="constant">LWRES_RECVLENGTH = 4096</code>.
     </p>
 <p>
       (3) Set <em class="structfield"><code>pkt.serial</code></em>
       to a unique serial number.  This value is echoed
       back to the application by the remote server.
     </p>
 <p>
       (4) Set <em class="structfield"><code>pkt.pktflags</code></em>.  Usually this is set to
       0.
     </p>
 <p>
       (5) Set <em class="structfield"><code>pkt.result</code></em> to 0.
     </p>
 <p>
       (6) Call <code class="function">lwres_*request_render()</code>,
       or marshall in the data using the primitives
       such as <code class="function">lwres_packet_render()</code>
       and storing the packet data.
     </p>
 <p>
       (7) Transmit the resulting buffer.
     </p>
 <p>
       (8) Call <code class="function">lwres_*response_parse()</code>
       to parse any packets received.
     </p>
 <p>
       (9) Verify that the opcode and serial match a request, and process the
       packet specific information contained in the body.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543585"></a><h2>SERVER-SIDE LOW-LEVEL API CALL FLOW</h2>
+<a name="id2543582"></a><h2>SERVER-SIDE LOW-LEVEL API CALL FLOW</h2>
 <p>
       When implementing the server side of the lightweight resolver
       protocol using the lwres library, a sequence of actions like the
       following is typically involved in processing each request packet.
     </p>
 <p>
       Note that the same <span class="type">lwres_packet_t</span> is used
       in both the <code class="function">_parse()</code> and <code class="function">_render()</code> calls,
       with only a few modifications made
       to the packet header's contents between uses.  This method is
       recommended
       as it keeps the serial, opcode, and other fields correct.
     </p>
 <p>
       (1) When a packet is received, call <code class="function">lwres_*request_parse()</code> to
       unmarshall it.  This returns a <span class="type">lwres_packet_t</span> (also called <code class="varname">pkt</code>, below)
       as well as a data specific type, such as <span class="type">lwres_gabnrequest_t</span>.
     </p>
 <p>
       (2) Process the request in the data specific type.
     </p>
 <p>
       (3) Set the <em class="structfield"><code>pkt.result</code></em>,
       <em class="structfield"><code>pkt.recvlength</code></em> as above.  All other fields
       can
       be left untouched since they were filled in by the <code class="function">*_parse()</code> call
       above.  If using <code class="function">lwres_*response_render()</code>,
       <em class="structfield"><code>pkt.pktflags</code></em> will be set up
       properly.  Otherwise, the <code class="constant">LWRES_LWPACKETFLAG_RESPONSE</code> bit should be
       set.
     </p>
 <p>
       (4) Call the data specific rendering function, such as
       <code class="function">lwres_gabnresponse_render()</code>.
     </p>
 <p>
       (5) Send the resulting packet to the client.
     </p>
 <p></p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543668"></a><h2>SEE ALSO</h2>
+<a name="id2543666"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">lwres_gethostent</span>(3)</span>,
 
       <span class="citerefentry"><span class="refentrytitle">lwres_getipnode</span>(3)</span>,
 
       <span class="citerefentry"><span class="refentrytitle">lwres_getnameinfo</span>(3)</span>,
 
       <span class="citerefentry"><span class="refentrytitle">lwres_noop</span>(3)</span>,
 
       <span class="citerefentry"><span class="refentrytitle">lwres_gabn</span>(3)</span>,
 
       <span class="citerefentry"><span class="refentrytitle">lwres_gnba</span>(3)</span>,
 
       <span class="citerefentry"><span class="refentrytitle">lwres_context</span>(3)</span>,
 
       <span class="citerefentry"><span class="refentrytitle">lwres_config</span>(3)</span>,
 
       <span class="citerefentry"><span class="refentrytitle">resolver</span>(5)</span>,
 
       <span class="citerefentry"><span class="refentrytitle">lwresd</span>(8)</span>.
 
     </p>
 </div>
 </div></body>
 </html>
Index: stable/9/contrib/bind9/lib/lwres/man/lwres_buffer.html
===================================================================
--- stable/9/contrib/bind9/lib/lwres/man/lwres_buffer.html	(revision 286123)
+++ stable/9/contrib/bind9/lib/lwres/man/lwres_buffer.html	(revision 286124)
@@ -1,455 +1,455 @@
 <!--
  - Copyright (C) 2004, 2005, 2007, 2014 Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000, 2001 Internet Software Consortium.
  - 
  - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
  - copyright notice and this permission notice appear in all copies.
  - 
  - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
  - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
  - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
  - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
  - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 <!-- $Id$ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>lwres_buffer</title>
 <meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2476282"></a><div class="titlepage"></div>
+<a name="id2476275"></a><div class="titlepage"></div>
 <div class="refnamediv">
 <h2>Name</h2>
 <p>lwres_buffer_init, lwres_buffer_invalidate, lwres_buffer_add, lwres_buffer_subtract, lwres_buffer_clear, lwres_buffer_first, lwres_buffer_forward, lwres_buffer_back, lwres_buffer_getuint8, lwres_buffer_putuint8, lwres_buffer_getuint16, lwres_buffer_putuint16, lwres_buffer_getuint32, lwres_buffer_putuint32, lwres_buffer_putmem, lwres_buffer_getmem &#8212; lightweight resolver buffer management</p>
 </div>
 <div class="refsynopsisdiv">
 <h2>Synopsis</h2>
 <div class="funcsynopsis">
 <pre class="funcsynopsisinfo">
 #include &lt;lwres/lwbuffer.h&gt;
 </pre>
 <table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
 <tr>
 <td><code class="funcdef">
 void
 <b class="fsfunc">lwres_buffer_init</b>(</code></td>
 <td>lwres_buffer_t * </td>
 <td>
 <var class="pdparam">b</var>, </td>
 </tr>
 <tr>
 <td> </td>
 <td>void * </td>
 <td>
 <var class="pdparam">base</var>, </td>
 </tr>
 <tr>
 <td> </td>
 <td>unsigned int  </td>
 <td>
 <var class="pdparam">length</var><code>)</code>;</td>
 </tr>
 </table>
 <table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em"><tr>
 <td><code class="funcdef">
 void
 <b class="fsfunc">lwres_buffer_invalidate</b>(</code></td>
 <td>lwres_buffer_t * </td>
 <td>
 <var class="pdparam">b</var><code>)</code>;</td>
 </tr></table>
 <table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
 <tr>
 <td><code class="funcdef">
 void
 <b class="fsfunc">lwres_buffer_add</b>(</code></td>
 <td>lwres_buffer_t * </td>
 <td>
 <var class="pdparam">b</var>, </td>
 </tr>
 <tr>
 <td> </td>
 <td>unsigned int  </td>
 <td>
 <var class="pdparam">n</var><code>)</code>;</td>
 </tr>
 </table>
 <table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
 <tr>
 <td><code class="funcdef">
 void
 <b class="fsfunc">lwres_buffer_subtract</b>(</code></td>
 <td>lwres_buffer_t * </td>
 <td>
 <var class="pdparam">b</var>, </td>
 </tr>
 <tr>
 <td> </td>
 <td>unsigned int  </td>
 <td>
 <var class="pdparam">n</var><code>)</code>;</td>
 </tr>
 </table>
 <table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em"><tr>
 <td><code class="funcdef">
 void
 <b class="fsfunc">lwres_buffer_clear</b>(</code></td>
 <td>lwres_buffer_t * </td>
 <td>
 <var class="pdparam">b</var><code>)</code>;</td>
 </tr></table>
 <table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em"><tr>
 <td><code class="funcdef">
 void
 <b class="fsfunc">lwres_buffer_first</b>(</code></td>
 <td>lwres_buffer_t * </td>
 <td>
 <var class="pdparam">b</var><code>)</code>;</td>
 </tr></table>
 <table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
 <tr>
 <td><code class="funcdef">
 void
 <b class="fsfunc">lwres_buffer_forward</b>(</code></td>
 <td>lwres_buffer_t * </td>
 <td>
 <var class="pdparam">b</var>, </td>
 </tr>
 <tr>
 <td> </td>
 <td>unsigned int  </td>
 <td>
 <var class="pdparam">n</var><code>)</code>;</td>
 </tr>
 </table>
 <table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
 <tr>
 <td><code class="funcdef">
 void
 <b class="fsfunc">lwres_buffer_back</b>(</code></td>
 <td>lwres_buffer_t * </td>
 <td>
 <var class="pdparam">b</var>, </td>
 </tr>
 <tr>
 <td> </td>
 <td>unsigned int  </td>
 <td>
 <var class="pdparam">n</var><code>)</code>;</td>
 </tr>
 </table>
 <table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em"><tr>
 <td><code class="funcdef">
 lwres_uint8_t
 <b class="fsfunc">lwres_buffer_getuint8</b>(</code></td>
 <td>lwres_buffer_t * </td>
 <td>
 <var class="pdparam">b</var><code>)</code>;</td>
 </tr></table>
 <table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
 <tr>
 <td><code class="funcdef">
 void
 <b class="fsfunc">lwres_buffer_putuint8</b>(</code></td>
 <td>lwres_buffer_t * </td>
 <td>
 <var class="pdparam">b</var>, </td>
 </tr>
 <tr>
 <td> </td>
 <td>lwres_uint8_t  </td>
 <td>
 <var class="pdparam">val</var><code>)</code>;</td>
 </tr>
 </table>
 <table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em"><tr>
 <td><code class="funcdef">
 lwres_uint16_t
 <b class="fsfunc">lwres_buffer_getuint16</b>(</code></td>
 <td>lwres_buffer_t * </td>
 <td>
 <var class="pdparam">b</var><code>)</code>;</td>
 </tr></table>
 <table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
 <tr>
 <td><code class="funcdef">
 void
 <b class="fsfunc">lwres_buffer_putuint16</b>(</code></td>
 <td>lwres_buffer_t * </td>
 <td>
 <var class="pdparam">b</var>, </td>
 </tr>
 <tr>
 <td> </td>
 <td>lwres_uint16_t  </td>
 <td>
 <var class="pdparam">val</var><code>)</code>;</td>
 </tr>
 </table>
 <table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em"><tr>
 <td><code class="funcdef">
 lwres_uint32_t
 <b class="fsfunc">lwres_buffer_getuint32</b>(</code></td>
 <td>lwres_buffer_t * </td>
 <td>
 <var class="pdparam">b</var><code>)</code>;</td>
 </tr></table>
 <table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
 <tr>
 <td><code class="funcdef">
 void
 <b class="fsfunc">lwres_buffer_putuint32</b>(</code></td>
 <td>lwres_buffer_t * </td>
 <td>
 <var class="pdparam">b</var>, </td>
 </tr>
 <tr>
 <td> </td>
 <td>lwres_uint32_t  </td>
 <td>
 <var class="pdparam">val</var><code>)</code>;</td>
 </tr>
 </table>
 <table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
 <tr>
 <td><code class="funcdef">
 void
 <b class="fsfunc">lwres_buffer_putmem</b>(</code></td>
 <td>lwres_buffer_t * </td>
 <td>
 <var class="pdparam">b</var>, </td>
 </tr>
 <tr>
 <td> </td>
 <td>const unsigned char * </td>
 <td>
 <var class="pdparam">base</var>, </td>
 </tr>
 <tr>
 <td> </td>
 <td>unsigned int  </td>
 <td>
 <var class="pdparam">length</var><code>)</code>;</td>
 </tr>
 </table>
 <table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0">
 <tr>
 <td><code class="funcdef">
 void
 <b class="fsfunc">lwres_buffer_getmem</b>(</code></td>
 <td>lwres_buffer_t * </td>
 <td>
 <var class="pdparam">b</var>, </td>
 </tr>
 <tr>
 <td> </td>
 <td>unsigned char * </td>
 <td>
 <var class="pdparam">base</var>, </td>
 </tr>
 <tr>
 <td> </td>
 <td>unsigned int  </td>
 <td>
 <var class="pdparam">length</var><code>)</code>;</td>
 </tr>
 </table>
 </div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543904"></a><h2>DESCRIPTION</h2>
+<a name="id2543901"></a><h2>DESCRIPTION</h2>
 <p>
       These functions provide bounds checked access to a region of memory
       where data is being read or written.
       They are based on, and similar to, the
       <code class="literal">isc_buffer_</code>
       functions in the ISC library.
     </p>
 <p>
       A buffer is a region of memory, together with a set of related
       subregions.
       The <span class="emphasis"><em>used region</em></span> and the
       <span class="emphasis"><em>available</em></span> region are disjoint, and
       their union is the buffer's region.
       The used region extends from the beginning of the buffer region to the
       last used byte.
       The available region extends from one byte greater than the last used
       byte to the end of the  buffer's region.
       The size of the used region can be changed using various
       buffer commands.
       Initially, the used region is empty.
     </p>
 <p>
       The used region is further subdivided into two disjoint regions: the
       <span class="emphasis"><em>consumed region</em></span> and the <span class="emphasis"><em>remaining region</em></span>.
       The union of these two regions is the used region.
       The consumed region extends from the beginning of the used region to
       the byte before the <span class="emphasis"><em>current</em></span> offset (if any).
       The <span class="emphasis"><em>remaining</em></span> region the current pointer to the end
       of the used
       region.
       The size of the consumed region can be changed using various
       buffer commands.
       Initially, the consumed region is empty.
     </p>
 <p>
       The <span class="emphasis"><em>active region</em></span> is an (optional) subregion of the
       remaining
       region.
       It extends from the current offset to an offset in the
       remaining region.
       Initially, the active region is empty.
       If the current offset advances beyond the chosen offset,
       the active region will also be empty.
     </p>
 <pre class="programlisting">
    /------------entire length---------------\\
    /----- used region -----\\/-- available --\\
    +----------------------------------------+
    | consumed  | remaining |                |
    +----------------------------------------+
    a           b     c     d                e
       </pre>
 <p>
     </p>
 <pre class="programlisting">
   a == base of buffer.
   b == current pointer.  Can be anywhere between a and d.
   c == active pointer.  Meaningful between b and d.
   d == used pointer.
   e == length of buffer.
       </pre>
 <p>
     </p>
 <pre class="programlisting">
   a-e == entire length of buffer.
   a-d == used region.
   a-b == consumed region.
   b-d == remaining region.
   b-c == optional active region.
 </pre>
 <p>
     </p>
 <p><code class="function">lwres_buffer_init()</code>
       initializes the
       <span class="type">lwres_buffer_t</span>
       <em class="parameter"><code>*b</code></em>
       and assocates it with the memory region of size
       <em class="parameter"><code>length</code></em>
       bytes starting at location
       <em class="parameter"><code>base.</code></em>
     </p>
 <p><code class="function">lwres_buffer_invalidate()</code>
       marks the buffer <em class="parameter"><code>*b</code></em>
       as invalid.  Invalidating a buffer after use is not required,
       but makes it possible to catch its possible accidental use.
     </p>
 <p>
       The functions
       <code class="function">lwres_buffer_add()</code>
       and
       <code class="function">lwres_buffer_subtract()</code>
       respectively increase and decrease the used space in
       buffer
       <em class="parameter"><code>*b</code></em>
       by
       <em class="parameter"><code>n</code></em>
       bytes.
       <code class="function">lwres_buffer_add()</code>
       checks for buffer overflow and
       <code class="function">lwres_buffer_subtract()</code>
       checks for underflow.
       These functions do not allocate or deallocate memory.
       They just change the value of
       <em class="structfield"><code>used</code></em>.
     </p>
 <p>
       A buffer is re-initialised by
       <code class="function">lwres_buffer_clear()</code>.
       The function sets
       <em class="structfield"><code>used</code></em>,
       <em class="structfield"><code>current</code></em>
       and
       <em class="structfield"><code>active</code></em>
       to zero.
     </p>
 <p><code class="function">lwres_buffer_first</code>
       makes the consumed region of buffer
       <em class="parameter"><code>*p</code></em>
       empty by setting
       <em class="structfield"><code>current</code></em>
       to zero (the start of the buffer).
     </p>
 <p><code class="function">lwres_buffer_forward()</code>
       increases the consumed region of buffer
       <em class="parameter"><code>*b</code></em>
       by
       <em class="parameter"><code>n</code></em>
       bytes, checking for overflow.
       Similarly,
       <code class="function">lwres_buffer_back()</code>
       decreases buffer
       <em class="parameter"><code>b</code></em>'s
       consumed region by
       <em class="parameter"><code>n</code></em>
       bytes and checks for underflow.
     </p>
 <p><code class="function">lwres_buffer_getuint8()</code>
       reads an unsigned 8-bit integer from
       <em class="parameter"><code>*b</code></em>
       and returns it.
       <code class="function">lwres_buffer_putuint8()</code>
       writes the unsigned 8-bit integer
       <em class="parameter"><code>val</code></em>
       to buffer
       <em class="parameter"><code>*b</code></em>.
     </p>
 <p><code class="function">lwres_buffer_getuint16()</code>
       and
       <code class="function">lwres_buffer_getuint32()</code>
       are identical to
       <code class="function">lwres_buffer_putuint8()</code>
       except that they respectively read an unsigned 16-bit or 32-bit integer
       in network byte order from
       <em class="parameter"><code>b</code></em>.
       Similarly,
       <code class="function">lwres_buffer_putuint16()</code>
       and
       <code class="function">lwres_buffer_putuint32()</code>
       writes the unsigned 16-bit or 32-bit integer
       <em class="parameter"><code>val</code></em>
       to buffer
       <em class="parameter"><code>b</code></em>,
       in network byte order.
     </p>
 <p>
       Arbitrary amounts of data are read or written from a lightweight
       resolver buffer with
       <code class="function">lwres_buffer_getmem()</code>
       and
       <code class="function">lwres_buffer_putmem()</code>
       respectively.
       <code class="function">lwres_buffer_putmem()</code>
       copies
       <em class="parameter"><code>length</code></em>
       bytes of memory at
       <em class="parameter"><code>base</code></em>
       to
       <em class="parameter"><code>b</code></em>.
       Conversely,
       <code class="function">lwres_buffer_getmem()</code>
       copies
       <em class="parameter"><code>length</code></em>
       bytes of memory from
       <em class="parameter"><code>b</code></em>
       to
       <em class="parameter"><code>base</code></em>.
     </p>
 </div>
 </div></body>
 </html>
Index: stable/9/contrib/bind9/lib/lwres/man/lwres_config.html
===================================================================
--- stable/9/contrib/bind9/lib/lwres/man/lwres_config.html	(revision 286123)
+++ stable/9/contrib/bind9/lib/lwres/man/lwres_config.html	(revision 286124)
@@ -1,156 +1,156 @@
 <!--
  - Copyright (C) 2004, 2005, 2007, 2014 Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000, 2001 Internet Software Consortium.
  - 
  - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
  - copyright notice and this permission notice appear in all copies.
  - 
  - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
  - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
  - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
  - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
  - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 <!-- $Id$ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>lwres_config</title>
 <meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2476282"></a><div class="titlepage"></div>
+<a name="id2476275"></a><div class="titlepage"></div>
 <div class="refnamediv">
 <h2>Name</h2>
 <p>lwres_conf_init, lwres_conf_clear, lwres_conf_parse, lwres_conf_print, lwres_conf_get &#8212; lightweight resolver configuration</p>
 </div>
 <div class="refsynopsisdiv">
 <h2>Synopsis</h2>
 <div class="funcsynopsis">
 <pre class="funcsynopsisinfo">#include &lt;lwres/lwres.h&gt;</pre>
 <table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em"><tr>
 <td><code class="funcdef">
 void
 <b class="fsfunc">lwres_conf_init</b>(</code></td>
 <td>lwres_context_t * </td>
 <td>
 <var class="pdparam">ctx</var><code>)</code>;</td>
 </tr></table>
 <table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em"><tr>
 <td><code class="funcdef">
 void
 <b class="fsfunc">lwres_conf_clear</b>(</code></td>
 <td>lwres_context_t * </td>
 <td>
 <var class="pdparam">ctx</var><code>)</code>;</td>
 </tr></table>
 <table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
 <tr>
 <td><code class="funcdef">
 lwres_result_t
 <b class="fsfunc">lwres_conf_parse</b>(</code></td>
 <td>lwres_context_t * </td>
 <td>
 <var class="pdparam">ctx</var>, </td>
 </tr>
 <tr>
 <td> </td>
 <td>const char * </td>
 <td>
 <var class="pdparam">filename</var><code>)</code>;</td>
 </tr>
 </table>
 <table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
 <tr>
 <td><code class="funcdef">
 lwres_result_t
 <b class="fsfunc">lwres_conf_print</b>(</code></td>
 <td>lwres_context_t * </td>
 <td>
 <var class="pdparam">ctx</var>, </td>
 </tr>
 <tr>
 <td> </td>
 <td>FILE * </td>
 <td>
 <var class="pdparam">fp</var><code>)</code>;</td>
 </tr>
 </table>
 <table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0"><tr>
 <td><code class="funcdef">
 lwres_conf_t *
 <b class="fsfunc">lwres_conf_get</b>(</code></td>
 <td>lwres_context_t * </td>
 <td>
 <var class="pdparam">ctx</var><code>)</code>;</td>
 </tr></table>
 </div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543452"></a><h2>DESCRIPTION</h2>
+<a name="id2543450"></a><h2>DESCRIPTION</h2>
 <p><code class="function">lwres_conf_init()</code>
       creates an empty
       <span class="type">lwres_conf_t</span>
       structure for lightweight resolver context
       <em class="parameter"><code>ctx</code></em>.
     </p>
 <p><code class="function">lwres_conf_clear()</code>
       frees up all the internal memory used by
       that
       <span class="type">lwres_conf_t</span>
       structure in resolver context
       <em class="parameter"><code>ctx</code></em>.
     </p>
 <p><code class="function">lwres_conf_parse()</code>
       opens the file
       <em class="parameter"><code>filename</code></em>
       and parses it to initialise the resolver context
       <em class="parameter"><code>ctx</code></em>'s
       <span class="type">lwres_conf_t</span>
       structure.
     </p>
 <p><code class="function">lwres_conf_print()</code>
       prints the
       <span class="type">lwres_conf_t</span>
       structure for resolver context
       <em class="parameter"><code>ctx</code></em>
       to the
       <span class="type">FILE</span>
       <em class="parameter"><code>fp</code></em>.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543520"></a><h2>RETURN VALUES</h2>
+<a name="id2543517"></a><h2>RETURN VALUES</h2>
 <p><code class="function">lwres_conf_parse()</code>
       returns <span class="errorcode">LWRES_R_SUCCESS</span>
       if it successfully read and parsed
       <em class="parameter"><code>filename</code></em>.
       It returns <span class="errorcode">LWRES_R_FAILURE</span>
       if <em class="parameter"><code>filename</code></em>
       could not be opened or contained incorrect
       resolver statements.
     </p>
 <p><code class="function">lwres_conf_print()</code>
       returns <span class="errorcode">LWRES_R_SUCCESS</span>
       unless an error occurred when converting the network addresses to a
       numeric host address string.
       If this happens, the function returns
       <span class="errorcode">LWRES_R_FAILURE</span>.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543557"></a><h2>SEE ALSO</h2>
+<a name="id2543555"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">stdio</span>(3)</span>,
       <span class="citerefentry"><span class="refentrytitle">resolver</span>(5)</span>.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543582"></a><h2>FILES</h2>
+<a name="id2543580"></a><h2>FILES</h2>
 <p><code class="filename">/etc/resolv.conf</code>
     </p>
 </div>
 </div></body>
 </html>
Index: stable/9/contrib/bind9/lib/lwres/man/lwres_context.html
===================================================================
--- stable/9/contrib/bind9/lib/lwres/man/lwres_context.html	(revision 286123)
+++ stable/9/contrib/bind9/lib/lwres/man/lwres_context.html	(revision 286124)
@@ -1,295 +1,295 @@
 <!--
  - Copyright (C) 2004, 2005, 2007, 2014 Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000, 2001, 2003 Internet Software Consortium.
  - 
  - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
  - copyright notice and this permission notice appear in all copies.
  - 
  - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
  - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
  - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
  - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
  - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 <!-- $Id$ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>lwres_context</title>
 <meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2476282"></a><div class="titlepage"></div>
+<a name="id2476275"></a><div class="titlepage"></div>
 <div class="refnamediv">
 <h2>Name</h2>
 <p>lwres_context_create, lwres_context_destroy, lwres_context_nextserial, lwres_context_initserial, lwres_context_freemem, lwres_context_allocmem, lwres_context_sendrecv &#8212; lightweight resolver context management</p>
 </div>
 <div class="refsynopsisdiv">
 <h2>Synopsis</h2>
 <div class="funcsynopsis">
 <pre class="funcsynopsisinfo">#include &lt;lwres/lwres.h&gt;</pre>
 <table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
 <tr>
 <td><code class="funcdef">
 lwres_result_t
 <b class="fsfunc">lwres_context_create</b>(</code></td>
 <td>lwres_context_t ** </td>
 <td>
 <var class="pdparam">contextp</var>, </td>
 </tr>
 <tr>
 <td> </td>
 <td>void * </td>
 <td>
 <var class="pdparam">arg</var>, </td>
 </tr>
 <tr>
 <td> </td>
 <td>lwres_malloc_t  </td>
 <td>
 <var class="pdparam">malloc_function</var>, </td>
 </tr>
 <tr>
 <td> </td>
 <td>lwres_free_t  </td>
 <td>
 <var class="pdparam">free_function</var><code>)</code>;</td>
 </tr>
 </table>
 <table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em"><tr>
 <td><code class="funcdef">
 lwres_result_t
 <b class="fsfunc">lwres_context_destroy</b>(</code></td>
 <td>lwres_context_t ** </td>
 <td>
 <var class="pdparam">contextp</var><code>)</code>;</td>
 </tr></table>
 <table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
 <tr>
 <td><code class="funcdef">
 void
 <b class="fsfunc">lwres_context_initserial</b>(</code></td>
 <td>lwres_context_t * </td>
 <td>
 <var class="pdparam">ctx</var>, </td>
 </tr>
 <tr>
 <td> </td>
 <td>lwres_uint32_t  </td>
 <td>
 <var class="pdparam">serial</var><code>)</code>;</td>
 </tr>
 </table>
 <table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em"><tr>
 <td><code class="funcdef">
 lwres_uint32_t
 <b class="fsfunc">lwres_context_nextserial</b>(</code></td>
 <td>lwres_context_t * </td>
 <td>
 <var class="pdparam">ctx</var><code>)</code>;</td>
 </tr></table>
 <table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
 <tr>
 <td><code class="funcdef">
 void
 <b class="fsfunc">lwres_context_freemem</b>(</code></td>
 <td>lwres_context_t * </td>
 <td>
 <var class="pdparam">ctx</var>, </td>
 </tr>
 <tr>
 <td> </td>
 <td>void * </td>
 <td>
 <var class="pdparam">mem</var>, </td>
 </tr>
 <tr>
 <td> </td>
 <td>size_t  </td>
 <td>
 <var class="pdparam">len</var><code>)</code>;</td>
 </tr>
 </table>
 <table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
 <tr>
 <td><code class="funcdef">
 void
 <b class="fsfunc">lwres_context_allocmem</b>(</code></td>
 <td>lwres_context_t * </td>
 <td>
 <var class="pdparam">ctx</var>, </td>
 </tr>
 <tr>
 <td> </td>
 <td>size_t  </td>
 <td>
 <var class="pdparam">len</var><code>)</code>;</td>
 </tr>
 </table>
 <table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0">
 <tr>
 <td><code class="funcdef">
 void *
 <b class="fsfunc">lwres_context_sendrecv</b>(</code></td>
 <td>lwres_context_t * </td>
 <td>
 <var class="pdparam">ctx</var>, </td>
 </tr>
 <tr>
 <td> </td>
 <td>void * </td>
 <td>
 <var class="pdparam">sendbase</var>, </td>
 </tr>
 <tr>
 <td> </td>
 <td>int  </td>
 <td>
 <var class="pdparam">sendlen</var>, </td>
 </tr>
 <tr>
 <td> </td>
 <td>void * </td>
 <td>
 <var class="pdparam">recvbase</var>, </td>
 </tr>
 <tr>
 <td> </td>
 <td>int  </td>
 <td>
 <var class="pdparam">recvlen</var>, </td>
 </tr>
 <tr>
 <td> </td>
 <td>int * </td>
 <td>
 <var class="pdparam">recvd_len</var><code>)</code>;</td>
 </tr>
 </table>
 </div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543543"></a><h2>DESCRIPTION</h2>
+<a name="id2543541"></a><h2>DESCRIPTION</h2>
 <p><code class="function">lwres_context_create()</code>
       creates a <span class="type">lwres_context_t</span> structure for use in
       lightweight resolver operations.  It holds a socket and other
       data needed for communicating with a resolver daemon.  The new
       <span class="type">lwres_context_t</span> is returned through
       <em class="parameter"><code>contextp</code></em>, a pointer to a
       <span class="type">lwres_context_t</span> pointer.  This
       <span class="type">lwres_context_t</span> pointer must initially be NULL, and
       is modified to point to the newly created
       <span class="type">lwres_context_t</span>.
     </p>
 <p>
       When the lightweight resolver needs to perform dynamic memory
       allocation, it will call
       <em class="parameter"><code>malloc_function</code></em>
       to allocate memory and
       <em class="parameter"><code>free_function</code></em>
       to free it.  If
       <em class="parameter"><code>malloc_function</code></em>
       and
       <em class="parameter"><code>free_function</code></em>
       are NULL, memory is allocated using
       <span class="citerefentry"><span class="refentrytitle">malloc</span>(3)</span>.
       and
       <span class="citerefentry"><span class="refentrytitle">free</span>(3)</span>.
 
       It is not permitted to have a NULL
       <em class="parameter"><code>malloc_function</code></em> and a non-NULL
       <em class="parameter"><code>free_function</code></em> or vice versa.
       <em class="parameter"><code>arg</code></em> is passed as the first parameter to
       the memory allocation functions.  If
       <em class="parameter"><code>malloc_function</code></em> and
       <em class="parameter"><code>free_function</code></em> are NULL,
       <em class="parameter"><code>arg</code></em> is unused and should be passed as
       NULL.
     </p>
 <p>
       Once memory for the structure has been allocated,
       it is initialized using
       <span class="citerefentry"><span class="refentrytitle">lwres_conf_init</span>(3)</span>
       and returned via <em class="parameter"><code>*contextp</code></em>.
     </p>
 <p><code class="function">lwres_context_destroy()</code>
       destroys a <span class="type">lwres_context_t</span>, closing its socket.
       <em class="parameter"><code>contextp</code></em> is a pointer to a pointer to the
       context that is to be destroyed.  The pointer will be set to
       NULL when the context has been destroyed.
     </p>
 <p>
       The context holds a serial number that is used to identify
       resolver request packets and associate responses with the
       corresponding requests.  This serial number is controlled using
       <code class="function">lwres_context_initserial()</code> and
       <code class="function">lwres_context_nextserial()</code>.
       <code class="function">lwres_context_initserial()</code> sets the serial
       number for context <em class="parameter"><code>*ctx</code></em> to
       <em class="parameter"><code>serial</code></em>.
       <code class="function">lwres_context_nextserial()</code> increments the
       serial number and returns the previous value.
     </p>
 <p>
       Memory for a lightweight resolver context is allocated and freed
       using <code class="function">lwres_context_allocmem()</code> and
       <code class="function">lwres_context_freemem()</code>.  These use
       whatever allocations were defined when the context was created
       with <code class="function">lwres_context_create()</code>.
       <code class="function">lwres_context_allocmem()</code> allocates
       <em class="parameter"><code>len</code></em> bytes of memory and if successful
       returns a pointer to the allocated storage.
       <code class="function">lwres_context_freemem()</code> frees
       <em class="parameter"><code>len</code></em> bytes of space starting at location
       <em class="parameter"><code>mem</code></em>.
     </p>
 <p><code class="function">lwres_context_sendrecv()</code>
       performs I/O for the context <em class="parameter"><code>ctx</code></em>.  Data
       are read and written from the context's socket.  It writes data
       from <em class="parameter"><code>sendbase</code></em> &#8212; typically a
       lightweight resolver query packet &#8212; and waits for a reply
       which is copied to the receive buffer at
       <em class="parameter"><code>recvbase</code></em>.  The number of bytes that were
       written to this receive buffer is returned in
       <em class="parameter"><code>*recvd_len</code></em>.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543731"></a><h2>RETURN VALUES</h2>
+<a name="id2543729"></a><h2>RETURN VALUES</h2>
 <p><code class="function">lwres_context_create()</code>
       returns <span class="errorcode">LWRES_R_NOMEMORY</span> if memory for
       the <span class="type">struct lwres_context</span> could not be allocated,
       <span class="errorcode">LWRES_R_SUCCESS</span> otherwise.
     </p>
 <p>
       Successful calls to the memory allocator
       <code class="function">lwres_context_allocmem()</code>
       return a pointer to the start of the allocated space.
       It returns NULL if memory could not be allocated.
     </p>
 <p><span class="errorcode">LWRES_R_SUCCESS</span>
       is returned when
       <code class="function">lwres_context_sendrecv()</code>
       completes successfully.
       <span class="errorcode">LWRES_R_IOERROR</span>
       is returned if an I/O error occurs and
       <span class="errorcode">LWRES_R_TIMEOUT</span>
       is returned if
       <code class="function">lwres_context_sendrecv()</code>
       times out waiting for a response.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543781"></a><h2>SEE ALSO</h2>
+<a name="id2543779"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">lwres_conf_init</span>(3)</span>,
 
       <span class="citerefentry"><span class="refentrytitle">malloc</span>(3)</span>,
 
       <span class="citerefentry"><span class="refentrytitle">free</span>(3)</span>.
     </p>
 </div>
 </div></body>
 </html>
Index: stable/9/contrib/bind9/lib/lwres/man/lwres_gabn.html
===================================================================
--- stable/9/contrib/bind9/lib/lwres/man/lwres_gabn.html	(revision 286123)
+++ stable/9/contrib/bind9/lib/lwres/man/lwres_gabn.html	(revision 286124)
@@ -1,324 +1,324 @@
 <!--
  - Copyright (C) 2004, 2005, 2007, 2014 Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000, 2001 Internet Software Consortium.
  - 
  - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
  - copyright notice and this permission notice appear in all copies.
  - 
  - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
  - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
  - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
  - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
  - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 <!-- $Id$ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>lwres_gabn</title>
 <meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2476282"></a><div class="titlepage"></div>
+<a name="id2476275"></a><div class="titlepage"></div>
 <div class="refnamediv">
 <h2>Name</h2>
 <p>lwres_gabnrequest_render, lwres_gabnresponse_render, lwres_gabnrequest_parse, lwres_gabnresponse_parse, lwres_gabnresponse_free, lwres_gabnrequest_free &#8212; lightweight resolver getaddrbyname message handling</p>
 </div>
 <div class="refsynopsisdiv">
 <h2>Synopsis</h2>
 <div class="funcsynopsis">
 <pre class="funcsynopsisinfo">#include &lt;lwres/lwres.h&gt;</pre>
 <table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
 <tr>
 <td><code class="funcdef">
 lwres_result_t
 <b class="fsfunc">lwres_gabnrequest_render</b>(</code></td>
 <td>lwres_context_t * </td>
 <td>
 <var class="pdparam">ctx</var>, </td>
 </tr>
 <tr>
 <td> </td>
 <td>lwres_gabnrequest_t * </td>
 <td>
 <var class="pdparam">req</var>, </td>
 </tr>
 <tr>
 <td> </td>
 <td>lwres_lwpacket_t * </td>
 <td>
 <var class="pdparam">pkt</var>, </td>
 </tr>
 <tr>
 <td> </td>
 <td>lwres_buffer_t * </td>
 <td>
 <var class="pdparam">b</var><code>)</code>;</td>
 </tr>
 </table>
 <table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
 <tr>
 <td><code class="funcdef">
 lwres_result_t
 <b class="fsfunc">lwres_gabnresponse_render</b>(</code></td>
 <td>lwres_context_t * </td>
 <td>
 <var class="pdparam">ctx</var>, </td>
 </tr>
 <tr>
 <td> </td>
 <td>lwres_gabnresponse_t * </td>
 <td>
 <var class="pdparam">req</var>, </td>
 </tr>
 <tr>
 <td> </td>
 <td>lwres_lwpacket_t * </td>
 <td>
 <var class="pdparam">pkt</var>, </td>
 </tr>
 <tr>
 <td> </td>
 <td>lwres_buffer_t * </td>
 <td>
 <var class="pdparam">b</var><code>)</code>;</td>
 </tr>
 </table>
 <table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
 <tr>
 <td><code class="funcdef">
 lwres_result_t
 <b class="fsfunc">lwres_gabnrequest_parse</b>(</code></td>
 <td>lwres_context_t * </td>
 <td>
 <var class="pdparam">ctx</var>, </td>
 </tr>
 <tr>
 <td> </td>
 <td>lwres_buffer_t * </td>
 <td>
 <var class="pdparam">b</var>, </td>
 </tr>
 <tr>
 <td> </td>
 <td>lwres_lwpacket_t * </td>
 <td>
 <var class="pdparam">pkt</var>, </td>
 </tr>
 <tr>
 <td> </td>
 <td>lwres_gabnrequest_t ** </td>
 <td>
 <var class="pdparam">structp</var><code>)</code>;</td>
 </tr>
 </table>
 <table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
 <tr>
 <td><code class="funcdef">
 lwres_result_t
 <b class="fsfunc">lwres_gabnresponse_parse</b>(</code></td>
 <td>lwres_context_t * </td>
 <td>
 <var class="pdparam">ctx</var>, </td>
 </tr>
 <tr>
 <td> </td>
 <td>lwres_buffer_t * </td>
 <td>
 <var class="pdparam">b</var>, </td>
 </tr>
 <tr>
 <td> </td>
 <td>lwres_lwpacket_t * </td>
 <td>
 <var class="pdparam">pkt</var>, </td>
 </tr>
 <tr>
 <td> </td>
 <td>lwres_gabnresponse_t ** </td>
 <td>
 <var class="pdparam">structp</var><code>)</code>;</td>
 </tr>
 </table>
 <table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
 <tr>
 <td><code class="funcdef">
 void
 <b class="fsfunc">lwres_gabnresponse_free</b>(</code></td>
 <td>lwres_context_t * </td>
 <td>
 <var class="pdparam">ctx</var>, </td>
 </tr>
 <tr>
 <td> </td>
 <td>lwres_gabnresponse_t ** </td>
 <td>
 <var class="pdparam">structp</var><code>)</code>;</td>
 </tr>
 </table>
 <table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0">
 <tr>
 <td><code class="funcdef">
 void
 <b class="fsfunc">lwres_gabnrequest_free</b>(</code></td>
 <td>lwres_context_t * </td>
 <td>
 <var class="pdparam">ctx</var>, </td>
 </tr>
 <tr>
 <td> </td>
 <td>lwres_gabnrequest_t ** </td>
 <td>
 <var class="pdparam">structp</var><code>)</code>;</td>
 </tr>
 </table>
 </div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543533"></a><h2>DESCRIPTION</h2>
+<a name="id2543531"></a><h2>DESCRIPTION</h2>
 <p>
       These are low-level routines for creating and parsing
       lightweight resolver name-to-address lookup request and
       response messages.
     </p>
 <p>
       There are four main functions for the getaddrbyname opcode.
       One render function converts a getaddrbyname request structure &#8212;
       <span class="type">lwres_gabnrequest_t</span> &#8212;
       to the lightweight resolver's canonical format.
       It is complemented by a parse function that converts a packet in this
       canonical format to a getaddrbyname request structure.
       Another render function converts the getaddrbyname response structure
       &#8212; <span class="type">lwres_gabnresponse_t</span> &#8212;
       to the canonical format.
       This is complemented by a parse function which converts a packet in
       canonical format to a getaddrbyname response structure.
     </p>
 <p>
       These structures are defined in
       <code class="filename">&lt;lwres/lwres.h&gt;</code>.
       They are shown below.
     </p>
 <pre class="programlisting">
 #define LWRES_OPCODE_GETADDRSBYNAME     0x00010001U
 </pre>
 <p>
     </p>
 <pre class="programlisting">
 typedef struct lwres_addr lwres_addr_t;
 typedef LWRES_LIST(lwres_addr_t) lwres_addrlist_t;
 </pre>
 <p>
     </p>
 <pre class="programlisting">
 typedef struct {
         lwres_uint32_t  flags;
         lwres_uint32_t  addrtypes;
         lwres_uint16_t  namelen;
         char           *name;
 } lwres_gabnrequest_t;
 </pre>
 <p>
     </p>
 <pre class="programlisting">
 typedef struct {
         lwres_uint32_t          flags;
         lwres_uint16_t          naliases;
         lwres_uint16_t          naddrs;
         char                   *realname;
         char                  **aliases;
         lwres_uint16_t          realnamelen;
         lwres_uint16_t         *aliaslen;
         lwres_addrlist_t        addrs;
         void                   *base;
         size_t                  baselen;
 } lwres_gabnresponse_t;
 </pre>
 <p>
     </p>
 <p><code class="function">lwres_gabnrequest_render()</code>
       uses resolver context <em class="parameter"><code>ctx</code></em> to convert
       getaddrbyname request structure <em class="parameter"><code>req</code></em> to
       canonical format.  The packet header structure
       <em class="parameter"><code>pkt</code></em> is initialised and transferred to
       buffer <em class="parameter"><code>b</code></em>.
 
       The contents of <em class="parameter"><code>*req</code></em> are then appended to
       the buffer in canonical format.
       <code class="function">lwres_gabnresponse_render()</code> performs the
       same task, except it converts a getaddrbyname response structure
       <span class="type">lwres_gabnresponse_t</span> to the lightweight resolver's
       canonical format.
     </p>
 <p><code class="function">lwres_gabnrequest_parse()</code>
       uses context <em class="parameter"><code>ctx</code></em> to convert the contents
       of packet <em class="parameter"><code>pkt</code></em> to a
       <span class="type">lwres_gabnrequest_t</span> structure.  Buffer
       <em class="parameter"><code>b</code></em> provides space to be used for storing
       this structure.  When the function succeeds, the resulting
       <span class="type">lwres_gabnrequest_t</span> is made available through
       <em class="parameter"><code>*structp</code></em>.
 
       <code class="function">lwres_gabnresponse_parse()</code> offers the same
       semantics as <code class="function">lwres_gabnrequest_parse()</code>
       except it yields a <span class="type">lwres_gabnresponse_t</span> structure.
     </p>
 <p><code class="function">lwres_gabnresponse_free()</code>
       and <code class="function">lwres_gabnrequest_free()</code> release the
       memory in resolver context <em class="parameter"><code>ctx</code></em> that was
       allocated to the <span class="type">lwres_gabnresponse_t</span> or
       <span class="type">lwres_gabnrequest_t</span> structures referenced via
       <em class="parameter"><code>structp</code></em>.
 
       Any memory associated with ancillary buffers and strings for
       those structures is also discarded.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543678"></a><h2>RETURN VALUES</h2>
+<a name="id2543676"></a><h2>RETURN VALUES</h2>
 <p>
       The getaddrbyname opcode functions
       <code class="function">lwres_gabnrequest_render()</code>,
       <code class="function">lwres_gabnresponse_render()</code>
       <code class="function">lwres_gabnrequest_parse()</code>
       and
       <code class="function">lwres_gabnresponse_parse()</code>
       all return
       <span class="errorcode">LWRES_R_SUCCESS</span>
       on success.
       They return
       <span class="errorcode">LWRES_R_NOMEMORY</span>
       if memory allocation fails.
       <span class="errorcode">LWRES_R_UNEXPECTEDEND</span>
       is returned if the available space in the buffer
       <em class="parameter"><code>b</code></em>
       is too small to accommodate the packet header or the
       <span class="type">lwres_gabnrequest_t</span>
       and
       <span class="type">lwres_gabnresponse_t</span>
       structures.
       <code class="function">lwres_gabnrequest_parse()</code>
       and
       <code class="function">lwres_gabnresponse_parse()</code>
       will return
       <span class="errorcode">LWRES_R_UNEXPECTEDEND</span>
       if the buffer is not empty after decoding the received packet.
       These functions will return
       <span class="errorcode">LWRES_R_FAILURE</span>
       if
       <em class="structfield"><code>pktflags</code></em>
       in the packet header structure
       <span class="type">lwres_lwpacket_t</span>
       indicate that the packet is not a response to an earlier query.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543745"></a><h2>SEE ALSO</h2>
+<a name="id2543742"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">lwres_packet</span>(3)</span>
     </p>
 </div>
 </div></body>
 </html>
Index: stable/9/contrib/bind9/lib/lwres/man/lwres_gai_strerror.html
===================================================================
--- stable/9/contrib/bind9/lib/lwres/man/lwres_gai_strerror.html	(revision 286123)
+++ stable/9/contrib/bind9/lib/lwres/man/lwres_gai_strerror.html	(revision 286124)
@@ -1,124 +1,124 @@
 <!--
  - Copyright (C) 2004, 2005, 2007, 2014 Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000, 2001 Internet Software Consortium.
  - 
  - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
  - copyright notice and this permission notice appear in all copies.
  - 
  - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
  - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
  - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
  - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
  - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 <!-- $Id$ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>lwres_gai_strerror</title>
 <meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2476282"></a><div class="titlepage"></div>
+<a name="id2476275"></a><div class="titlepage"></div>
 <div class="refnamediv">
 <h2>Name</h2>
 <p>lwres_gai_strerror &#8212; print suitable error string</p>
 </div>
 <div class="refsynopsisdiv">
 <h2>Synopsis</h2>
 <div class="funcsynopsis">
 <pre class="funcsynopsisinfo">#include &lt;lwres/netdb.h&gt;</pre>
 <table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0"><tr>
 <td><code class="funcdef">
 char *
 <b class="fsfunc">gai_strerror</b>(</code></td>
 <td>int  </td>
 <td>
 <var class="pdparam">ecode</var><code>)</code>;</td>
 </tr></table>
 </div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543372"></a><h2>DESCRIPTION</h2>
+<a name="id2543370"></a><h2>DESCRIPTION</h2>
 <p><code class="function">lwres_gai_strerror()</code>
       returns an error message corresponding to an error code returned by
       <code class="function">getaddrinfo()</code>.
       The following error codes and their meaning are defined in
       <code class="filename">include/lwres/netdb.h</code>.
       </p>
 <div class="variablelist"><dl>
 <dt><span class="term"><span class="errorcode">EAI_ADDRFAMILY</span></span></dt>
 <dd><p>
               address family for hostname not supported
             </p></dd>
 <dt><span class="term"><span class="errorcode">EAI_AGAIN</span></span></dt>
 <dd><p>
               temporary failure in name resolution
             </p></dd>
 <dt><span class="term"><span class="errorcode">EAI_BADFLAGS</span></span></dt>
 <dd><p>
               invalid value for
               <code class="constant">ai_flags</code>
             </p></dd>
 <dt><span class="term"><span class="errorcode">EAI_FAIL</span></span></dt>
 <dd><p>
               non-recoverable failure in name resolution
             </p></dd>
 <dt><span class="term"><span class="errorcode">EAI_FAMILY</span></span></dt>
 <dd><p><code class="constant">ai_family</code> not supported
             </p></dd>
 <dt><span class="term"><span class="errorcode">EAI_MEMORY</span></span></dt>
 <dd><p>
               memory allocation failure
             </p></dd>
 <dt><span class="term"><span class="errorcode">EAI_NODATA</span></span></dt>
 <dd><p>
               no address associated with hostname
             </p></dd>
 <dt><span class="term"><span class="errorcode">EAI_NONAME</span></span></dt>
 <dd><p>
               hostname or servname not provided, or not known
             </p></dd>
 <dt><span class="term"><span class="errorcode">EAI_SERVICE</span></span></dt>
 <dd><p>
               servname not supported for <code class="constant">ai_socktype</code>
             </p></dd>
 <dt><span class="term"><span class="errorcode">EAI_SOCKTYPE</span></span></dt>
 <dd><p><code class="constant">ai_socktype</code> not supported
             </p></dd>
 <dt><span class="term"><span class="errorcode">EAI_SYSTEM</span></span></dt>
 <dd><p>
               system error returned in errno
             </p></dd>
 </dl></div>
 <p>
       The message <span class="errorname">invalid error code</span> is returned if
       <em class="parameter"><code>ecode</code></em>
       is out of range.
     </p>
 <p><code class="constant">ai_flags</code>,
       <code class="constant">ai_family</code>
       and
       <code class="constant">ai_socktype</code>
       are elements of the
       <span class="type">struct  addrinfo</span>
       used by
       <code class="function">lwres_getaddrinfo()</code>.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543588"></a><h2>SEE ALSO</h2>
+<a name="id2543586"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">strerror</span>(3)</span>,
 
       <span class="citerefentry"><span class="refentrytitle">lwres_getaddrinfo</span>(3)</span>,
 
       <span class="citerefentry"><span class="refentrytitle">getaddrinfo</span>(3)</span>,
 
       <span class="citerefentry"><span class="refentrytitle">RFC2133</span></span>.
     </p>
 </div>
 </div></body>
 </html>
Index: stable/9/contrib/bind9/lib/lwres/man/lwres_getaddrinfo.html
===================================================================
--- stable/9/contrib/bind9/lib/lwres/man/lwres_getaddrinfo.html	(revision 286123)
+++ stable/9/contrib/bind9/lib/lwres/man/lwres_getaddrinfo.html	(revision 286124)
@@ -1,322 +1,322 @@
 <!--
  - Copyright (C) 2004, 2005, 2007, 2014 Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000, 2001, 2003 Internet Software Consortium.
  - 
  - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
  - copyright notice and this permission notice appear in all copies.
  - 
  - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
  - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
  - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
  - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
  - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 <!-- $Id$ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>lwres_getaddrinfo</title>
 <meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2476282"></a><div class="titlepage"></div>
+<a name="id2476275"></a><div class="titlepage"></div>
 <div class="refnamediv">
 <h2>Name</h2>
 <p>lwres_getaddrinfo, lwres_freeaddrinfo &#8212; socket address structure to host and service name</p>
 </div>
 <div class="refsynopsisdiv">
 <h2>Synopsis</h2>
 <div class="funcsynopsis">
 <pre class="funcsynopsisinfo">#include &lt;lwres/netdb.h&gt;</pre>
 <table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
 <tr>
 <td><code class="funcdef">
 int
 <b class="fsfunc">lwres_getaddrinfo</b>(</code></td>
 <td>const char * </td>
 <td>
 <var class="pdparam">hostname</var>, </td>
 </tr>
 <tr>
 <td> </td>
 <td>const char * </td>
 <td>
 <var class="pdparam">servname</var>, </td>
 </tr>
 <tr>
 <td> </td>
 <td>const struct addrinfo * </td>
 <td>
 <var class="pdparam">hints</var>, </td>
 </tr>
 <tr>
 <td> </td>
 <td>struct addrinfo ** </td>
 <td>
 <var class="pdparam">res</var><code>)</code>;</td>
 </tr>
 </table>
 <table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0"><tr>
 <td><code class="funcdef">
 void
 <b class="fsfunc">lwres_freeaddrinfo</b>(</code></td>
 <td>struct addrinfo * </td>
 <td>
 <var class="pdparam">ai</var><code>)</code>;</td>
 </tr></table>
 </div>
 <p>
       If the operating system does not provide a
       <span class="type">struct addrinfo</span>,
       the following structure is used:
     </p>
 <pre class="programlisting">
 struct  addrinfo {
         int             ai_flags;       /* AI_PASSIVE, AI_CANONNAME */
         int             ai_family;      /* PF_xxx */
         int             ai_socktype;    /* SOCK_xxx */
         int             ai_protocol;    /* 0 or IPPROTO_xxx for IPv4 and IPv6 */
         size_t          ai_addrlen;     /* length of ai_addr */
         char            *ai_canonname;  /* canonical name for hostname */
         struct sockaddr *ai_addr;       /* binary address */
         struct addrinfo *ai_next;       /* next structure in linked list */
 };
 </pre>
 <p>
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543424"></a><h2>DESCRIPTION</h2>
+<a name="id2543421"></a><h2>DESCRIPTION</h2>
 <p><code class="function">lwres_getaddrinfo()</code>
       is used to get a list of IP addresses and port numbers for host
       <em class="parameter"><code>hostname</code></em> and service
       <em class="parameter"><code>servname</code></em>.
 
       The function is the lightweight resolver's implementation of
       <code class="function">getaddrinfo()</code> as defined in RFC2133.
       <em class="parameter"><code>hostname</code></em> and
       <em class="parameter"><code>servname</code></em> are pointers to null-terminated
       strings or <span class="type">NULL</span>.
 
       <em class="parameter"><code>hostname</code></em> is either a host name or a
       numeric host address string: a dotted decimal IPv4 address or an
       IPv6 address.  <em class="parameter"><code>servname</code></em> is either a
       decimal port number or a service name as listed in
       <code class="filename">/etc/services</code>.
     </p>
 <p><em class="parameter"><code>hints</code></em>
       is an optional pointer to a
       <span class="type">struct addrinfo</span>.
       This structure can be used to provide hints concerning the type of
       socket
       that the caller supports or wishes to use.
       The caller can supply the following structure elements in
       <em class="parameter"><code>*hints</code></em>:
 
       </p>
 <div class="variablelist"><dl>
 <dt><span class="term"><code class="constant">ai_family</code></span></dt>
 <dd><p>
               The protocol family that should be used.
               When
               <code class="constant">ai_family</code>
               is set to
               <span class="type">PF_UNSPEC</span>,
               it means the caller will accept any protocol family supported by
               the
               operating system.
             </p></dd>
 <dt><span class="term"><code class="constant">ai_socktype</code></span></dt>
 <dd><p>
               denotes the type of socket &#8212;
               <span class="type">SOCK_STREAM</span>,
               <span class="type">SOCK_DGRAM</span>
               or
               <span class="type">SOCK_RAW</span>
               &#8212; that is wanted.
               When
               <code class="constant">ai_socktype</code>
               is zero the caller will accept any socket type.
             </p></dd>
 <dt><span class="term"><code class="constant">ai_protocol</code></span></dt>
 <dd><p>
               indicates which transport protocol is wanted: IPPROTO_UDP or
               IPPROTO_TCP.
               If
               <code class="constant">ai_protocol</code>
               is zero the caller will accept any protocol.
             </p></dd>
 <dt><span class="term"><code class="constant">ai_flags</code></span></dt>
 <dd>
 <p>
               Flag bits.
               If the
               <span class="type">AI_CANONNAME</span>
               bit is set, a successful call to
               <code class="function">lwres_getaddrinfo()</code>
               will return a null-terminated string containing the canonical
               name
               of the specified hostname in
               <code class="constant">ai_canonname</code>
               of the first
               <span class="type">addrinfo</span>
               structure returned.
               Setting the
               <span class="type">AI_PASSIVE</span>
               bit indicates that the returned socket address structure is
               intended
               for used in a call to
               <span class="citerefentry"><span class="refentrytitle">bind</span>(2)</span>.
 
               In this case, if the hostname argument is a
               <span class="type">NULL</span>
               pointer, then the IP address portion of the socket
               address structure will be set to
               <span class="type">INADDR_ANY</span>
               for an IPv4 address or
               <span class="type">IN6ADDR_ANY_INIT</span>
               for an IPv6 address.
             </p>
 <p>
               When
               <code class="constant">ai_flags</code>
               does not set the
               <span class="type">AI_PASSIVE</span>
               bit, the returned socket address structure will be ready
               for use in a call to
               <span class="citerefentry"><span class="refentrytitle">connect</span>(2)</span>
               for a connection-oriented protocol or
               <span class="citerefentry"><span class="refentrytitle">connect</span>(2)</span>,
 
               <span class="citerefentry"><span class="refentrytitle">sendto</span>(2)</span>,
 
               or
               <span class="citerefentry"><span class="refentrytitle">sendmsg</span>(2)</span>
               if a connectionless protocol was chosen.
               The IP address portion of the socket address structure will be
               set to the loopback address if
               <em class="parameter"><code>hostname</code></em>
               is a
               <span class="type">NULL</span>
               pointer and
               <span class="type">AI_PASSIVE</span>
               is not set in
               <code class="constant">ai_flags</code>.
             </p>
 <p>
               If
               <code class="constant">ai_flags</code>
               is set to
               <span class="type">AI_NUMERICHOST</span>
               it indicates that
               <em class="parameter"><code>hostname</code></em>
               should be treated as a numeric string defining an IPv4 or IPv6
               address
               and no name resolution should be attempted.
             </p>
 </dd>
 </dl></div>
 <p>
     </p>
 <p>
       All other elements of the <span class="type">struct addrinfo</span> passed
       via <em class="parameter"><code>hints</code></em> must be zero.
     </p>
 <p>
       A <em class="parameter"><code>hints</code></em> of <span class="type">NULL</span> is
       treated as if
       the caller provided a <span class="type">struct addrinfo</span> initialized to zero
       with <code class="constant">ai_family</code>set to
       <code class="constant">PF_UNSPEC</code>.
     </p>
 <p>
       After a successful call to
       <code class="function">lwres_getaddrinfo()</code>,
       <em class="parameter"><code>*res</code></em>
       is a pointer to a linked list of one or more
       <span class="type">addrinfo</span>
       structures.
       Each
       <span class="type">struct addrinfo</span>
       in this list cn be processed by following
       the
       <code class="constant">ai_next</code>
       pointer, until a
       <span class="type">NULL</span>
       pointer is encountered.
       The three members
       <code class="constant">ai_family</code>,
       <code class="constant">ai_socktype</code>,
       and
       <code class="constant">ai_protocol</code>
       in each
       returned
       <span class="type">addrinfo</span>
       structure contain the corresponding arguments for a call to
       <span class="citerefentry"><span class="refentrytitle">socket</span>(2)</span>.
       For each
       <span class="type">addrinfo</span>
       structure in the list, the
       <code class="constant">ai_addr</code>
       member points to a filled-in socket address structure of length
       <code class="constant">ai_addrlen</code>.
     </p>
 <p>
       All of the information returned by
       <code class="function">lwres_getaddrinfo()</code>
       is dynamically allocated: the addrinfo structures, and the socket
       address structures and canonical host name strings pointed to by the
       <code class="constant">addrinfo</code>structures.
       Memory allocated for the dynamically allocated structures created by
       a successful call to
       <code class="function">lwres_getaddrinfo()</code>
       is released by
       <code class="function">lwres_freeaddrinfo()</code>.
       <em class="parameter"><code>ai</code></em>
       is a pointer to a
       <span class="type">struct addrinfo</span>
       created by a call to
       <code class="function">lwres_getaddrinfo()</code>.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543801"></a><h2>RETURN VALUES</h2>
+<a name="id2543799"></a><h2>RETURN VALUES</h2>
 <p><code class="function">lwres_getaddrinfo()</code>
       returns zero on success or one of the error codes listed in
       <span class="citerefentry"><span class="refentrytitle">gai_strerror</span>(3)</span>
       if an error occurs.  If both <em class="parameter"><code>hostname</code></em> and
       <em class="parameter"><code>servname</code></em> are <span class="type">NULL</span>
       <code class="function">lwres_getaddrinfo()</code> returns
       <span class="errorcode">EAI_NONAME</span>.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543838"></a><h2>SEE ALSO</h2>
+<a name="id2543836"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">lwres</span>(3)</span>,
 
       <span class="citerefentry"><span class="refentrytitle">lwres_getaddrinfo</span>(3)</span>,
 
       <span class="citerefentry"><span class="refentrytitle">lwres_freeaddrinfo</span>(3)</span>,
 
       <span class="citerefentry"><span class="refentrytitle">lwres_gai_strerror</span>(3)</span>,
 
       <span class="citerefentry"><span class="refentrytitle">RFC2133</span></span>,
 
       <span class="citerefentry"><span class="refentrytitle">getservbyname</span>(3)</span>,
 
       <span class="citerefentry"><span class="refentrytitle">bind</span>(2)</span>,
 
       <span class="citerefentry"><span class="refentrytitle">connect</span>(2)</span>,
 
       <span class="citerefentry"><span class="refentrytitle">sendto</span>(2)</span>,
 
       <span class="citerefentry"><span class="refentrytitle">sendmsg</span>(2)</span>,
 
       <span class="citerefentry"><span class="refentrytitle">socket</span>(2)</span>.
     </p>
 </div>
 </div></body>
 </html>
Index: stable/9/contrib/bind9/lib/lwres/man/lwres_gethostent.html
===================================================================
--- stable/9/contrib/bind9/lib/lwres/man/lwres_gethostent.html	(revision 286123)
+++ stable/9/contrib/bind9/lib/lwres/man/lwres_gethostent.html	(revision 286124)
@@ -1,466 +1,466 @@
 <!--
  - Copyright (C) 2004, 2005, 2007, 2014 Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2001 Internet Software Consortium.
  - 
  - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
  - copyright notice and this permission notice appear in all copies.
  - 
  - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
  - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
  - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
  - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
  - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 <!-- $Id$ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>lwres_gethostent</title>
 <meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2476282"></a><div class="titlepage"></div>
+<a name="id2476275"></a><div class="titlepage"></div>
 <div class="refnamediv">
 <h2>Name</h2>
 <p>lwres_gethostbyname, lwres_gethostbyname2, lwres_gethostbyaddr, lwres_gethostent, lwres_sethostent, lwres_endhostent, lwres_gethostbyname_r, lwres_gethostbyaddr_r, lwres_gethostent_r, lwres_sethostent_r, lwres_endhostent_r &#8212; lightweight resolver get network host entry</p>
 </div>
 <div class="refsynopsisdiv">
 <h2>Synopsis</h2>
 <div class="funcsynopsis">
 <pre class="funcsynopsisinfo">#include &lt;lwres/netdb.h&gt;</pre>
 <table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em"><tr>
 <td><code class="funcdef">
 struct hostent *
 <b class="fsfunc">lwres_gethostbyname</b>(</code></td>
 <td>const char * </td>
 <td>
 <var class="pdparam">name</var><code>)</code>;</td>
 </tr></table>
 <table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
 <tr>
 <td><code class="funcdef">
 struct hostent *
 <b class="fsfunc">lwres_gethostbyname2</b>(</code></td>
 <td>const char * </td>
 <td>
 <var class="pdparam">name</var>, </td>
 </tr>
 <tr>
 <td> </td>
 <td>int  </td>
 <td>
 <var class="pdparam">af</var><code>)</code>;</td>
 </tr>
 </table>
 <table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
 <tr>
 <td><code class="funcdef">
 struct hostent *
 <b class="fsfunc">lwres_gethostbyaddr</b>(</code></td>
 <td>const char * </td>
 <td>
 <var class="pdparam">addr</var>, </td>
 </tr>
 <tr>
 <td> </td>
 <td>int  </td>
 <td>
 <var class="pdparam">len</var>, </td>
 </tr>
 <tr>
 <td> </td>
 <td>int  </td>
 <td>
 <var class="pdparam">type</var><code>)</code>;</td>
 </tr>
 </table>
 <table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em"><tr>
 <td><code class="funcdef">
 struct hostent *
 <b class="fsfunc">lwres_gethostent</b>(</code></td>
 <td> </td>
 <td>
 <code>)</code>;</td>
 </tr></table>
 <table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em"><tr>
 <td><code class="funcdef">
 void
 <b class="fsfunc">lwres_sethostent</b>(</code></td>
 <td>int  </td>
 <td>
 <var class="pdparam">stayopen</var><code>)</code>;</td>
 </tr></table>
 <table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em"><tr>
 <td><code class="funcdef">
 void
 <b class="fsfunc">lwres_endhostent</b>(</code></td>
 <td> </td>
 <td>
 <code>)</code>;</td>
 </tr></table>
 <table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
 <tr>
 <td><code class="funcdef">
 struct hostent *
 <b class="fsfunc">lwres_gethostbyname_r</b>(</code></td>
 <td>const char * </td>
 <td>
 <var class="pdparam">name</var>, </td>
 </tr>
 <tr>
 <td> </td>
 <td>struct hostent * </td>
 <td>
 <var class="pdparam">resbuf</var>, </td>
 </tr>
 <tr>
 <td> </td>
 <td>char * </td>
 <td>
 <var class="pdparam">buf</var>, </td>
 </tr>
 <tr>
 <td> </td>
 <td>int  </td>
 <td>
 <var class="pdparam">buflen</var>, </td>
 </tr>
 <tr>
 <td> </td>
 <td>int * </td>
 <td>
 <var class="pdparam">error</var><code>)</code>;</td>
 </tr>
 </table>
 <table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
 <tr>
 <td><code class="funcdef">
 struct hostent  *
 <b class="fsfunc">lwres_gethostbyaddr_r</b>(</code></td>
 <td>const char * </td>
 <td>
 <var class="pdparam">addr</var>, </td>
 </tr>
 <tr>
 <td> </td>
 <td>int  </td>
 <td>
 <var class="pdparam">len</var>, </td>
 </tr>
 <tr>
 <td> </td>
 <td>int  </td>
 <td>
 <var class="pdparam">type</var>, </td>
 </tr>
 <tr>
 <td> </td>
 <td>struct hostent * </td>
 <td>
 <var class="pdparam">resbuf</var>, </td>
 </tr>
 <tr>
 <td> </td>
 <td>char * </td>
 <td>
 <var class="pdparam">buf</var>, </td>
 </tr>
 <tr>
 <td> </td>
 <td>int  </td>
 <td>
 <var class="pdparam">buflen</var>, </td>
 </tr>
 <tr>
 <td> </td>
 <td>int * </td>
 <td>
 <var class="pdparam">error</var><code>)</code>;</td>
 </tr>
 </table>
 <table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
 <tr>
 <td><code class="funcdef">
 struct hostent  *
 <b class="fsfunc">lwres_gethostent_r</b>(</code></td>
 <td>struct hostent * </td>
 <td>
 <var class="pdparam">resbuf</var>, </td>
 </tr>
 <tr>
 <td> </td>
 <td>char * </td>
 <td>
 <var class="pdparam">buf</var>, </td>
 </tr>
 <tr>
 <td> </td>
 <td>int  </td>
 <td>
 <var class="pdparam">buflen</var>, </td>
 </tr>
 <tr>
 <td> </td>
 <td>int * </td>
 <td>
 <var class="pdparam">error</var><code>)</code>;</td>
 </tr>
 </table>
 <table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em"><tr>
 <td><code class="funcdef">
 void
 <b class="fsfunc">lwres_sethostent_r</b>(</code></td>
 <td>int  </td>
 <td>
 <var class="pdparam">stayopen</var><code>)</code>;</td>
 </tr></table>
 <table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0"><tr>
 <td><code class="funcdef">
 void
 <b class="fsfunc">lwres_endhostent_r</b>(</code></td>
 <td> </td>
 <td>
 <code>)</code>;</td>
 </tr></table>
 </div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543620"></a><h2>DESCRIPTION</h2>
+<a name="id2543618"></a><h2>DESCRIPTION</h2>
 <p>
       These functions provide hostname-to-address and
       address-to-hostname lookups by means of the lightweight resolver.
       They are similar to the standard
       <span class="citerefentry"><span class="refentrytitle">gethostent</span>(3)</span>
       functions provided by most operating systems.
       They use a
       <span class="type">struct hostent</span>
       which is usually defined in
       <code class="filename">&lt;namedb.h&gt;</code>.
     </p>
 <pre class="programlisting">
 struct  hostent {
         char    *h_name;        /* official name of host */
         char    **h_aliases;    /* alias list */
         int     h_addrtype;     /* host address type */
         int     h_length;       /* length of address */
         char    **h_addr_list;  /* list of addresses from name server */
 };
 #define h_addr  h_addr_list[0]  /* address, for backward compatibility */
 </pre>
 <p>
     </p>
 <p>
       The members of this structure are:
       </p>
 <div class="variablelist"><dl>
 <dt><span class="term"><code class="constant">h_name</code></span></dt>
 <dd><p>
               The official (canonical) name of the host.
             </p></dd>
 <dt><span class="term"><code class="constant">h_aliases</code></span></dt>
 <dd><p>
               A NULL-terminated array of alternate names (nicknames) for the
               host.
             </p></dd>
 <dt><span class="term"><code class="constant">h_addrtype</code></span></dt>
 <dd><p>
               The type of address being returned &#8212;
               <span class="type">PF_INET</span>
               or
               <span class="type">PF_INET6</span>.
             </p></dd>
 <dt><span class="term"><code class="constant">h_length</code></span></dt>
 <dd><p>
               The length of the address in bytes.
             </p></dd>
 <dt><span class="term"><code class="constant">h_addr_list</code></span></dt>
 <dd><p>
               A <span class="type">NULL</span>
               terminated array of network addresses for the host.
               Host addresses are returned in network byte order.
             </p></dd>
 </dl></div>
 <p>
     </p>
 <p>
       For backward compatibility with very old software,
       <code class="constant">h_addr</code>
       is the first address in
       <code class="constant">h_addr_list.</code>
     </p>
 <p><code class="function">lwres_gethostent()</code>,
       <code class="function">lwres_sethostent()</code>,
       <code class="function">lwres_endhostent()</code>,
       <code class="function">lwres_gethostent_r()</code>,
       <code class="function">lwres_sethostent_r()</code>
       and
       <code class="function">lwres_endhostent_r()</code>
       provide iteration over the known host entries on systems that
       provide such functionality through facilities like
       <code class="filename">/etc/hosts</code>
       or NIS.  The lightweight resolver does not currently implement
       these functions; it only provides them as stub functions that always
       return failure.
     </p>
 <p><code class="function">lwres_gethostbyname()</code>
       and <code class="function">lwres_gethostbyname2()</code> look up the
       hostname <em class="parameter"><code>name</code></em>.
       <code class="function">lwres_gethostbyname()</code> always looks for an
       IPv4 address while <code class="function">lwres_gethostbyname2()</code>
       looks for an address of protocol family
       <em class="parameter"><code>af</code></em>: either <span class="type">PF_INET</span> or
       <span class="type">PF_INET6</span> &#8212; IPv4 or IPV6 addresses
       respectively.  Successful calls of the functions return a
       <span class="type">struct hostent</span>for the name that was looked up.
       <span class="type">NULL</span> is returned if the lookups by
       <code class="function">lwres_gethostbyname()</code> or
       <code class="function">lwres_gethostbyname2()</code> fail.
     </p>
 <p>
       Reverse lookups of addresses are performed by
       <code class="function">lwres_gethostbyaddr()</code>.
       <em class="parameter"><code>addr</code></em> is an address of length
       <em class="parameter"><code>len</code></em> bytes and protocol family
       <em class="parameter"><code>type</code></em> &#8212; <span class="type">PF_INET</span> or
       <span class="type">PF_INET6</span>.
       <code class="function">lwres_gethostbyname_r()</code> is a
       thread-safe function
       for forward lookups.  If an error occurs, an error code is returned in
       <em class="parameter"><code>*error</code></em>.
       <em class="parameter"><code>resbuf</code></em> is a pointer to a
       <span class="type">struct hostent</span> which is initialised by a successful call to
       <code class="function">lwres_gethostbyname_r()</code>.
       <em class="parameter"><code>buf</code></em> is a buffer of length
       <em class="parameter"><code>len</code></em> bytes which is used to store the
       <code class="constant">h_name</code>, <code class="constant">h_aliases</code>, and
       <code class="constant">h_addr_list</code> elements of the
       <span class="type">struct hostent</span> returned in <em class="parameter"><code>resbuf</code></em>.
       Successful calls to <code class="function">lwres_gethostbyname_r()</code>
       return <em class="parameter"><code>resbuf</code></em>,
       which is a pointer to the <span class="type">struct hostent</span> it created.
     </p>
 <p><code class="function">lwres_gethostbyaddr_r()</code>
       is a thread-safe function
       that performs a reverse lookup of address <em class="parameter"><code>addr</code></em>
       which is <em class="parameter"><code>len</code></em> bytes long and is of
       protocol
       family <em class="parameter"><code>type</code></em> &#8212; <span class="type">PF_INET</span> or
       <span class="type">PF_INET6</span>.  If an error occurs, the error code is returned
       in <em class="parameter"><code>*error</code></em>.  The other function
       parameters are
       identical to those in <code class="function">lwres_gethostbyname_r()</code>.
       <em class="parameter"><code>resbuf</code></em> is a pointer to a
       <span class="type">struct hostent</span> which is initialised by a successful call to
       <code class="function">lwres_gethostbyaddr_r()</code>.
       <em class="parameter"><code>buf</code></em> is a buffer of length
       <em class="parameter"><code>len</code></em> bytes which is used to store the
       <code class="constant">h_name</code>, <code class="constant">h_aliases</code>, and
       <code class="constant">h_addr_list</code> elements of the
       <span class="type">struct hostent</span> returned in <em class="parameter"><code>resbuf</code></em>.
       Successful calls to <code class="function">lwres_gethostbyaddr_r()</code> return
       <em class="parameter"><code>resbuf</code></em>, which is a pointer to the
       <code class="function">struct hostent()</code> it created.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543971"></a><h2>RETURN VALUES</h2>
+<a name="id2543969"></a><h2>RETURN VALUES</h2>
 <p>
       The functions
       <code class="function">lwres_gethostbyname()</code>,
       <code class="function">lwres_gethostbyname2()</code>,
       <code class="function">lwres_gethostbyaddr()</code>,
       and
       <code class="function">lwres_gethostent()</code>
       return NULL to indicate an error.  In this case the global variable
       <span class="type">lwres_h_errno</span>
       will contain one of the following error codes defined in
       <code class="filename">&lt;lwres/netdb.h&gt;</code>:
 
       </p>
 <div class="variablelist"><dl>
 <dt><span class="term"><code class="constant">HOST_NOT_FOUND</code></span></dt>
 <dd><p>
               The host or address was not found.
             </p></dd>
 <dt><span class="term"><code class="constant">TRY_AGAIN</code></span></dt>
 <dd><p>
               A recoverable error occurred, e.g., a timeout.
               Retrying the lookup may succeed.
             </p></dd>
 <dt><span class="term"><code class="constant">NO_RECOVERY</code></span></dt>
 <dd><p>
               A non-recoverable error occurred.
             </p></dd>
 <dt><span class="term"><code class="constant">NO_DATA</code></span></dt>
 <dd><p>
               The name exists, but has no address information
               associated with it (or vice versa in the case
               of a reverse lookup).  The code NO_ADDRESS
               is accepted as a synonym for NO_DATA for backwards
               compatibility.
             </p></dd>
 </dl></div>
 <p>
     </p>
 <p><span class="citerefentry"><span class="refentrytitle">lwres_hstrerror</span>(3)</span>
       translates these error codes to suitable error messages.
     </p>
 <p><code class="function">lwres_gethostent()</code>
       and <code class="function">lwres_gethostent_r()</code>
       always return <span class="type">NULL</span>.
     </p>
 <p>
       Successful calls to <code class="function">lwres_gethostbyname_r()</code> and
       <code class="function">lwres_gethostbyaddr_r()</code> return
       <em class="parameter"><code>resbuf</code></em>, a pointer to the
       <span class="type">struct hostent</span> that was initialised by these functions.  They return
       <span class="type">NULL</span> if the lookups fail or if <em class="parameter"><code>buf</code></em>
       was too small to hold the list of addresses and names referenced by
       the <code class="constant">h_name</code>, <code class="constant">h_aliases</code>, and
       <code class="constant">h_addr_list</code> elements of the
       <span class="type">struct hostent</span>.
       If <em class="parameter"><code>buf</code></em> was too small, both
       <code class="function">lwres_gethostbyname_r()</code> and
       <code class="function">lwres_gethostbyaddr_r()</code> set the global
       variable
       <span class="type">errno</span> to <span class="errorcode">ERANGE</span>.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2544204"></a><h2>SEE ALSO</h2>
+<a name="id2544202"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">gethostent</span>(3)</span>,
 
       <span class="citerefentry"><span class="refentrytitle">lwres_getipnode</span>(3)</span>,
 
       <span class="citerefentry"><span class="refentrytitle">lwres_hstrerror</span>(3)</span>
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2544238"></a><h2>BUGS</h2>
+<a name="id2544236"></a><h2>BUGS</h2>
 <p><code class="function">lwres_gethostbyname()</code>,
       <code class="function">lwres_gethostbyname2()</code>,
       <code class="function">lwres_gethostbyaddr()</code>
       and
       <code class="function">lwres_endhostent()</code>
       are not thread safe; they return pointers to static data and
       provide error codes through a global variable.
       Thread-safe versions for name and address lookup are provided by
       <code class="function">lwres_gethostbyname_r()</code>,
       and
       <code class="function">lwres_gethostbyaddr_r()</code>
       respectively.
     </p>
 <p>
       The resolver daemon does not currently support any non-DNS
       name services such as
       <code class="filename">/etc/hosts</code>
       or
       <span class="type">NIS</span>,
       consequently the above functions don't, either.
     </p>
 </div>
 </div></body>
 </html>
Index: stable/9/contrib/bind9/lib/lwres/man/lwres_getipnode.html
===================================================================
--- stable/9/contrib/bind9/lib/lwres/man/lwres_getipnode.html	(revision 286123)
+++ stable/9/contrib/bind9/lib/lwres/man/lwres_getipnode.html	(revision 286124)
@@ -1,279 +1,279 @@
 <!--
  - Copyright (C) 2004, 2005, 2007, 2014 Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000, 2001, 2003 Internet Software Consortium.
  - 
  - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
  - copyright notice and this permission notice appear in all copies.
  - 
  - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
  - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
  - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
  - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
  - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 <!-- $Id$ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>lwres_getipnode</title>
 <meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2476282"></a><div class="titlepage"></div>
+<a name="id2476275"></a><div class="titlepage"></div>
 <div class="refnamediv">
 <h2>Name</h2>
 <p>lwres_getipnodebyname, lwres_getipnodebyaddr, lwres_freehostent &#8212; lightweight resolver nodename / address translation API</p>
 </div>
 <div class="refsynopsisdiv">
 <h2>Synopsis</h2>
 <div class="funcsynopsis">
 <pre class="funcsynopsisinfo">#include &lt;lwres/netdb.h&gt;</pre>
 <table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
 <tr>
 <td><code class="funcdef">
 struct hostent *
 <b class="fsfunc">lwres_getipnodebyname</b>(</code></td>
 <td>const char * </td>
 <td>
 <var class="pdparam">name</var>, </td>
 </tr>
 <tr>
 <td> </td>
 <td>int  </td>
 <td>
 <var class="pdparam">af</var>, </td>
 </tr>
 <tr>
 <td> </td>
 <td>int  </td>
 <td>
 <var class="pdparam">flags</var>, </td>
 </tr>
 <tr>
 <td> </td>
 <td>int * </td>
 <td>
 <var class="pdparam">error_num</var><code>)</code>;</td>
 </tr>
 </table>
 <table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
 <tr>
 <td><code class="funcdef">
 struct hostent *
 <b class="fsfunc">lwres_getipnodebyaddr</b>(</code></td>
 <td>const void * </td>
 <td>
 <var class="pdparam">src</var>, </td>
 </tr>
 <tr>
 <td> </td>
 <td>size_t  </td>
 <td>
 <var class="pdparam">len</var>, </td>
 </tr>
 <tr>
 <td> </td>
 <td>int  </td>
 <td>
 <var class="pdparam">af</var>, </td>
 </tr>
 <tr>
 <td> </td>
 <td>int * </td>
 <td>
 <var class="pdparam">error_num</var><code>)</code>;</td>
 </tr>
 </table>
 <table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0"><tr>
 <td><code class="funcdef">
 void
 <b class="fsfunc">lwres_freehostent</b>(</code></td>
 <td>struct hostent * </td>
 <td>
 <var class="pdparam">he</var><code>)</code>;</td>
 </tr></table>
 </div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543443"></a><h2>DESCRIPTION</h2>
+<a name="id2543441"></a><h2>DESCRIPTION</h2>
 <p>
       These functions perform thread safe, protocol independent
       nodename-to-address and address-to-nodename
       translation as defined in RFC2553.
     </p>
 <p>
       They use a
       <span class="type">struct hostent</span>
       which is defined in
       <code class="filename">namedb.h</code>:
     </p>
 <pre class="programlisting">
 struct  hostent {
         char    *h_name;        /* official name of host */
         char    **h_aliases;    /* alias list */
         int     h_addrtype;     /* host address type */
         int     h_length;       /* length of address */
         char    **h_addr_list;  /* list of addresses from name server */
 };
 #define h_addr  h_addr_list[0]  /* address, for backward compatibility */
 </pre>
 <p>
     </p>
 <p>
       The members of this structure are:
       </p>
 <div class="variablelist"><dl>
 <dt><span class="term"><code class="constant">h_name</code></span></dt>
 <dd><p>
               The official (canonical) name of the host.
             </p></dd>
 <dt><span class="term"><code class="constant">h_aliases</code></span></dt>
 <dd><p>
               A NULL-terminated array of alternate names (nicknames) for the
               host.
             </p></dd>
 <dt><span class="term"><code class="constant">h_addrtype</code></span></dt>
 <dd><p>
               The type of address being returned - usually
               <span class="type">PF_INET</span>
               or
               <span class="type">PF_INET6</span>.
 
             </p></dd>
 <dt><span class="term"><code class="constant">h_length</code></span></dt>
 <dd><p>
               The length of the address in bytes.
             </p></dd>
 <dt><span class="term"><code class="constant">h_addr_list</code></span></dt>
 <dd><p>
               A
               <span class="type">NULL</span>
               terminated array of network addresses for the host.
               Host addresses are returned in network byte order.
             </p></dd>
 </dl></div>
 <p>
     </p>
 <p><code class="function">lwres_getipnodebyname()</code>
       looks up addresses of protocol family <em class="parameter"><code>af</code></em>
       for the hostname <em class="parameter"><code>name</code></em>.  The
       <em class="parameter"><code>flags</code></em> parameter contains ORed flag bits
       to specify the types of addresses that are searched for, and the
       types of addresses that are returned.  The flag bits are:
 
       </p>
 <div class="variablelist"><dl>
 <dt><span class="term"><code class="constant">AI_V4MAPPED</code></span></dt>
 <dd><p>
               This is used with an
               <em class="parameter"><code>af</code></em>
               of AF_INET6, and causes IPv4 addresses to be returned as
               IPv4-mapped
               IPv6 addresses.
             </p></dd>
 <dt><span class="term"><code class="constant">AI_ALL</code></span></dt>
 <dd><p>
               This is used with an
               <em class="parameter"><code>af</code></em>
               of AF_INET6, and causes all known addresses (IPv6 and IPv4) to
               be returned.
               If AI_V4MAPPED is also set, the IPv4 addresses are return as
               mapped
               IPv6 addresses.
             </p></dd>
 <dt><span class="term"><code class="constant">AI_ADDRCONFIG</code></span></dt>
 <dd><p>
               Only return an IPv6 or IPv4 address if here is an active network
               interface of that type.  This is not currently implemented
               in the BIND 9 lightweight resolver, and the flag is ignored.
             </p></dd>
 <dt><span class="term"><code class="constant">AI_DEFAULT</code></span></dt>
 <dd><p>
               This default sets the
               <code class="constant">AI_V4MAPPED</code>
               and
               <code class="constant">AI_ADDRCONFIG</code>
               flag bits.
             </p></dd>
 </dl></div>
 <p>
     </p>
 <p><code class="function">lwres_getipnodebyaddr()</code>
       performs a reverse lookup of address <em class="parameter"><code>src</code></em>
       which is <em class="parameter"><code>len</code></em> bytes long.
       <em class="parameter"><code>af</code></em> denotes the protocol family, typically
       <span class="type">PF_INET</span> or <span class="type">PF_INET6</span>.
     </p>
 <p><code class="function">lwres_freehostent()</code>
       releases all the memory associated with the <span class="type">struct
       hostent</span> pointer <em class="parameter"><code>he</code></em>.  Any memory
       allocated for the <code class="constant">h_name</code>,
       <code class="constant">h_addr_list</code> and
       <code class="constant">h_aliases</code> is freed, as is the memory for
       the <span class="type">hostent</span> structure itself.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543701"></a><h2>RETURN VALUES</h2>
+<a name="id2543699"></a><h2>RETURN VALUES</h2>
 <p>
       If an error occurs,
       <code class="function">lwres_getipnodebyname()</code>
       and
       <code class="function">lwres_getipnodebyaddr()</code>
       set
       <em class="parameter"><code>*error_num</code></em>
       to an appropriate error code and the function returns a
       <span class="type">NULL</span>
       pointer.
       The error codes and their meanings are defined in
       <code class="filename">&lt;lwres/netdb.h&gt;</code>:
       </p>
 <div class="variablelist"><dl>
 <dt><span class="term"><code class="constant">HOST_NOT_FOUND</code></span></dt>
 <dd><p>
               No such host is known.
             </p></dd>
 <dt><span class="term"><code class="constant">NO_ADDRESS</code></span></dt>
 <dd><p>
               The server recognised the request and the name but no address is
               available.  Another type of request to the name server for the
               domain might return an answer.
             </p></dd>
 <dt><span class="term"><code class="constant">TRY_AGAIN</code></span></dt>
 <dd><p>
               A temporary and possibly transient error occurred, such as a
               failure of a server to respond.  The request may succeed if
               retried.
             </p></dd>
 <dt><span class="term"><code class="constant">NO_RECOVERY</code></span></dt>
 <dd><p>
               An unexpected failure occurred, and retrying the request
               is pointless.
             </p></dd>
 </dl></div>
 <p>
     </p>
 <p><span class="citerefentry"><span class="refentrytitle">lwres_hstrerror</span>(3)</span>
       translates these error codes to suitable error messages.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543798"></a><h2>SEE ALSO</h2>
+<a name="id2543796"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">RFC2553</span></span>,
 
       <span class="citerefentry"><span class="refentrytitle">lwres</span>(3)</span>,
 
       <span class="citerefentry"><span class="refentrytitle">lwres_gethostent</span>(3)</span>,
 
       <span class="citerefentry"><span class="refentrytitle">lwres_getaddrinfo</span>(3)</span>,
 
       <span class="citerefentry"><span class="refentrytitle">lwres_getnameinfo</span>(3)</span>,
 
       <span class="citerefentry"><span class="refentrytitle">lwres_hstrerror</span>(3)</span>.
     </p>
 </div>
 </div></body>
 </html>
Index: stable/9/contrib/bind9/lib/lwres/man/lwres_getnameinfo.html
===================================================================
--- stable/9/contrib/bind9/lib/lwres/man/lwres_getnameinfo.html	(revision 286123)
+++ stable/9/contrib/bind9/lib/lwres/man/lwres_getnameinfo.html	(revision 286124)
@@ -1,176 +1,176 @@
 <!--
  - Copyright (C) 2004, 2005, 2007, 2014 Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000, 2001 Internet Software Consortium.
  - 
  - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
  - copyright notice and this permission notice appear in all copies.
  - 
  - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
  - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
  - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
  - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
  - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 <!-- $Id$ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>lwres_getnameinfo</title>
 <meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2476282"></a><div class="titlepage"></div>
+<a name="id2476275"></a><div class="titlepage"></div>
 <div class="refnamediv">
 <h2>Name</h2>
 <p>lwres_getnameinfo &#8212; lightweight resolver socket address structure to hostname and
       service name
     </p>
 </div>
 <div class="refsynopsisdiv">
 <h2>Synopsis</h2>
 <div class="funcsynopsis">
 <pre class="funcsynopsisinfo">#include &lt;lwres/netdb.h&gt;</pre>
 <table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0">
 <tr>
 <td><code class="funcdef">
 int
 <b class="fsfunc">lwres_getnameinfo</b>(</code></td>
 <td>const struct sockaddr * </td>
 <td>
 <var class="pdparam">sa</var>, </td>
 </tr>
 <tr>
 <td> </td>
 <td>size_t  </td>
 <td>
 <var class="pdparam">salen</var>, </td>
 </tr>
 <tr>
 <td> </td>
 <td>char * </td>
 <td>
 <var class="pdparam">host</var>, </td>
 </tr>
 <tr>
 <td> </td>
 <td>size_t  </td>
 <td>
 <var class="pdparam">hostlen</var>, </td>
 </tr>
 <tr>
 <td> </td>
 <td>char * </td>
 <td>
 <var class="pdparam">serv</var>, </td>
 </tr>
 <tr>
 <td> </td>
 <td>size_t  </td>
 <td>
 <var class="pdparam">servlen</var>, </td>
 </tr>
 <tr>
 <td> </td>
 <td>int  </td>
 <td>
 <var class="pdparam">flags</var><code>)</code>;</td>
 </tr>
 </table>
 </div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543404"></a><h2>DESCRIPTION</h2>
+<a name="id2543402"></a><h2>DESCRIPTION</h2>
 <p>
        This function is equivalent to the
       <span class="citerefentry"><span class="refentrytitle">getnameinfo</span>(3)</span> function defined in RFC2133.
       <code class="function">lwres_getnameinfo()</code> returns the
       hostname for the
       <span class="type">struct sockaddr</span> <em class="parameter"><code>sa</code></em> which
       is
       <em class="parameter"><code>salen</code></em> bytes long.  The hostname is of
       length
       <em class="parameter"><code>hostlen</code></em> and is returned via
       <em class="parameter"><code>*host.</code></em> The maximum length of the
       hostname is
       1025 bytes: <code class="constant">NI_MAXHOST</code>.
     </p>
 <p> The name of the service associated with the port number in
       <em class="parameter"><code>sa</code></em> is returned in <em class="parameter"><code>*serv.</code></em>
       It is <em class="parameter"><code>servlen</code></em> bytes long.  The
       maximum length
       of the service name is <code class="constant">NI_MAXSERV</code> - 32
       bytes.
     </p>
 <p>
        The <em class="parameter"><code>flags</code></em> argument sets the
       following
       bits:
       </p>
 <div class="variablelist"><dl>
 <dt><span class="term"><code class="constant">NI_NOFQDN</code></span></dt>
 <dd><p>
               A fully qualified domain name is not required for local hosts.
               The local part of the fully qualified domain name is returned
               instead.
             </p></dd>
 <dt><span class="term"><code class="constant">NI_NUMERICHOST</code></span></dt>
 <dd><p>
               Return the address in numeric form, as if calling inet_ntop(),
               instead of a host name.
             </p></dd>
 <dt><span class="term"><code class="constant">NI_NAMEREQD</code></span></dt>
 <dd><p>
               A name is required. If the hostname cannot be found in the DNS
               and
               this flag is set, a non-zero error code is returned.
               If the hostname is not found and the flag is not set, the
               address is returned in numeric form.
             </p></dd>
 <dt><span class="term"><code class="constant">NI_NUMERICSERV</code></span></dt>
 <dd><p>
               The service name is returned as a digit string representing the
               port number.
             </p></dd>
 <dt><span class="term"><code class="constant">NI_DGRAM</code></span></dt>
 <dd><p>
               Specifies that the service being looked up is a datagram
               service,  and causes getservbyport() to be called with a second
               argument of "udp" instead of its default of "tcp".  This is
               required
               for the few ports (512-514) that have different services for UDP
               and
               TCP.
             </p></dd>
 </dl></div>
 <p>
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543546"></a><h2>RETURN VALUES</h2>
+<a name="id2543544"></a><h2>RETURN VALUES</h2>
 <p><code class="function">lwres_getnameinfo()</code>
       returns 0 on success or a non-zero error code if an error occurs.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543558"></a><h2>SEE ALSO</h2>
+<a name="id2543556"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">RFC2133</span></span>,
       <span class="citerefentry"><span class="refentrytitle">getservbyport</span>(3)</span>,
       <span class="citerefentry"><span class="refentrytitle">lwres</span>(3)</span>,
       <span class="citerefentry"><span class="refentrytitle">lwres_getnameinfo</span>(3)</span>,
       <span class="citerefentry"><span class="refentrytitle">lwres_getnamebyaddr</span>(3)</span>.
       <span class="citerefentry"><span class="refentrytitle">lwres_net_ntop</span>(3)</span>.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543616"></a><h2>BUGS</h2>
+<a name="id2543613"></a><h2>BUGS</h2>
 <p>
       RFC2133 fails to define what the nonzero return values of
       <span class="citerefentry"><span class="refentrytitle">getnameinfo</span>(3)</span>
       are.
     </p>
 </div>
 </div></body>
 </html>
Index: stable/9/contrib/bind9/lib/lwres/man/lwres_getrrsetbyname.html
===================================================================
--- stable/9/contrib/bind9/lib/lwres/man/lwres_getrrsetbyname.html	(revision 286123)
+++ stable/9/contrib/bind9/lib/lwres/man/lwres_getrrsetbyname.html	(revision 286124)
@@ -1,192 +1,192 @@
 <!--
  - Copyright (C) 2004, 2005, 2007, 2014 Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000, 2001 Internet Software Consortium.
  - 
  - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
  - copyright notice and this permission notice appear in all copies.
  - 
  - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
  - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
  - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
  - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
  - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 <!-- $Id$ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>lwres_getrrsetbyname</title>
 <meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2476282"></a><div class="titlepage"></div>
+<a name="id2476275"></a><div class="titlepage"></div>
 <div class="refnamediv">
 <h2>Name</h2>
 <p>lwres_getrrsetbyname, lwres_freerrset &#8212; retrieve DNS records</p>
 </div>
 <div class="refsynopsisdiv">
 <h2>Synopsis</h2>
 <div class="funcsynopsis">
 <pre class="funcsynopsisinfo">#include &lt;lwres/netdb.h&gt;</pre>
 <table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
 <tr>
 <td><code class="funcdef">
 int
 <b class="fsfunc">lwres_getrrsetbyname</b>(</code></td>
 <td>const char * </td>
 <td>
 <var class="pdparam">hostname</var>, </td>
 </tr>
 <tr>
 <td> </td>
 <td>unsigned int  </td>
 <td>
 <var class="pdparam">rdclass</var>, </td>
 </tr>
 <tr>
 <td> </td>
 <td>unsigned int  </td>
 <td>
 <var class="pdparam">rdtype</var>, </td>
 </tr>
 <tr>
 <td> </td>
 <td>unsigned int  </td>
 <td>
 <var class="pdparam">flags</var>, </td>
 </tr>
 <tr>
 <td> </td>
 <td>struct rrsetinfo ** </td>
 <td>
 <var class="pdparam">res</var><code>)</code>;</td>
 </tr>
 </table>
 <table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0"><tr>
 <td><code class="funcdef">
 void
 <b class="fsfunc">lwres_freerrset</b>(</code></td>
 <td>struct rrsetinfo * </td>
 <td>
 <var class="pdparam">rrset</var><code>)</code>;</td>
 </tr></table>
 </div>
 <p>
       The following structures are used:
     </p>
 <pre class="programlisting">
 struct  rdatainfo {
         unsigned int            rdi_length;     /* length of data */
         unsigned char           *rdi_data;      /* record data */
 };
 </pre>
 <p>
     </p>
 <pre class="programlisting">
 struct  rrsetinfo {
         unsigned int            rri_flags;      /* RRSET_VALIDATED... */
         unsigned int            rri_rdclass;    /* class number */
         unsigned int            rri_rdtype;     /* RR type number */
         unsigned int            rri_ttl;        /* time to live */
         unsigned int            rri_nrdatas;    /* size of rdatas array */
         unsigned int            rri_nsigs;      /* size of sigs array */
         char                    *rri_name;      /* canonical name */
         struct rdatainfo        *rri_rdatas;    /* individual records */
         struct rdatainfo        *rri_sigs;      /* individual signatures */
 };
 </pre>
 <p>
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543426"></a><h2>DESCRIPTION</h2>
+<a name="id2543424"></a><h2>DESCRIPTION</h2>
 <p><code class="function">lwres_getrrsetbyname()</code>
       gets a set of resource records associated with a
       <em class="parameter"><code>hostname</code></em>, <em class="parameter"><code>class</code></em>,
       and <em class="parameter"><code>type</code></em>.
       <em class="parameter"><code>hostname</code></em> is a pointer a to
       null-terminated string.  The <em class="parameter"><code>flags</code></em> field
       is currently unused and must be zero.
     </p>
 <p>
       After a successful call to
       <code class="function">lwres_getrrsetbyname()</code>,
       <em class="parameter"><code>*res</code></em> is a pointer to an
       <span class="type">rrsetinfo</span> structure, containing a list of one or
       more <span class="type">rdatainfo</span> structures containing resource
       records and potentially another list of <span class="type">rdatainfo</span>
       structures containing SIG resource records associated with those
       records.  The members <code class="constant">rri_rdclass</code> and
       <code class="constant">rri_rdtype</code> are copied from the parameters.
       <code class="constant">rri_ttl</code> and <code class="constant">rri_name</code>
       are properties of the obtained rrset.  The resource records
       contained in <code class="constant">rri_rdatas</code> and
       <code class="constant">rri_sigs</code> are in uncompressed DNS wire
       format.  Properties of the rdataset are represented in the
       <code class="constant">rri_flags</code> bitfield.  If the RRSET_VALIDATED
       bit is set, the data has been DNSSEC validated and the
       signatures verified.
     </p>
 <p>
       All of the information returned by
       <code class="function">lwres_getrrsetbyname()</code> is dynamically
       allocated: the <code class="constant">rrsetinfo</code> and
       <code class="constant">rdatainfo</code> structures, and the canonical
       host name strings pointed to by the
       <code class="constant">rrsetinfo</code>structure.
 
       Memory allocated for the dynamically allocated structures
       created by a successful call to
       <code class="function">lwres_getrrsetbyname()</code> is released by
       <code class="function">lwres_freerrset()</code>.
 
       <em class="parameter"><code>rrset</code></em> is a pointer to a <span class="type">struct
       rrset</span> created by a call to
       <code class="function">lwres_getrrsetbyname()</code>.
     </p>
 <p></p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543538"></a><h2>RETURN VALUES</h2>
+<a name="id2543536"></a><h2>RETURN VALUES</h2>
 <p><code class="function">lwres_getrrsetbyname()</code>
       returns zero on success, and one of the following error codes if
       an error occurred:
       </p>
 <div class="variablelist"><dl>
 <dt><span class="term"><code class="constant">ERRSET_NONAME</code></span></dt>
 <dd><p>
               the name does not exist
             </p></dd>
 <dt><span class="term"><code class="constant">ERRSET_NODATA</code></span></dt>
 <dd><p>
               the name exists, but does not have data of the desired type
             </p></dd>
 <dt><span class="term"><code class="constant">ERRSET_NOMEMORY</code></span></dt>
 <dd><p>
               memory could not be allocated
             </p></dd>
 <dt><span class="term"><code class="constant">ERRSET_INVAL</code></span></dt>
 <dd><p>
               a parameter is invalid
             </p></dd>
 <dt><span class="term"><code class="constant">ERRSET_FAIL</code></span></dt>
 <dd><p>
               other failure
             </p></dd>
 <dt><span class="term"><code class="constant"></code></span></dt>
 <dd><p></p></dd>
 </dl></div>
 <p>
 
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543638"></a><h2>SEE ALSO</h2>
+<a name="id2543636"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">lwres</span>(3)</span>.
     </p>
 </div>
 </div></body>
 </html>
Index: stable/9/contrib/bind9/lib/lwres/man/lwres_gnba.html
===================================================================
--- stable/9/contrib/bind9/lib/lwres/man/lwres_gnba.html	(revision 286123)
+++ stable/9/contrib/bind9/lib/lwres/man/lwres_gnba.html	(revision 286124)
@@ -1,316 +1,316 @@
 <!--
  - Copyright (C) 2004, 2005, 2007, 2014 Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000, 2001 Internet Software Consortium.
  - 
  - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
  - copyright notice and this permission notice appear in all copies.
  - 
  - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
  - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
  - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
  - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
  - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 <!-- $Id$ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>lwres_gnba</title>
 <meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2476282"></a><div class="titlepage"></div>
+<a name="id2476275"></a><div class="titlepage"></div>
 <div class="refnamediv">
 <h2>Name</h2>
 <p>lwres_gnbarequest_render, lwres_gnbaresponse_render, lwres_gnbarequest_parse, lwres_gnbaresponse_parse, lwres_gnbaresponse_free, lwres_gnbarequest_free &#8212; lightweight resolver getnamebyaddress message handling</p>
 </div>
 <div class="refsynopsisdiv">
 <h2>Synopsis</h2>
 <div class="funcsynopsis">
 <pre class="funcsynopsisinfo">
 #include &lt;lwres/lwres.h&gt;
 </pre>
 <table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
 <tr>
 <td><code class="funcdef">
 lwres_result_t
 <b class="fsfunc">lwres_gnbarequest_render</b>
 (</code></td>
 <td>lwres_context_t * </td>
 <td>
 <var class="pdparam">ctx</var>, </td>
 </tr>
 <tr>
 <td> </td>
 <td>lwres_gnbarequest_t * </td>
 <td>
 <var class="pdparam">req</var>, </td>
 </tr>
 <tr>
 <td> </td>
 <td>lwres_lwpacket_t * </td>
 <td>
 <var class="pdparam">pkt</var>, </td>
 </tr>
 <tr>
 <td> </td>
 <td>lwres_buffer_t * </td>
 <td>
 <var class="pdparam">b</var><code>)</code>;</td>
 </tr>
 </table>
 <table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
 <tr>
 <td><code class="funcdef">
 lwres_result_t
 <b class="fsfunc">lwres_gnbaresponse_render</b>
 (</code></td>
 <td>lwres_context_t * </td>
 <td>
 <var class="pdparam">ctx</var>, </td>
 </tr>
 <tr>
 <td> </td>
 <td>lwres_gnbaresponse_t * </td>
 <td>
 <var class="pdparam">req</var>, </td>
 </tr>
 <tr>
 <td> </td>
 <td>lwres_lwpacket_t * </td>
 <td>
 <var class="pdparam">pkt</var>, </td>
 </tr>
 <tr>
 <td> </td>
 <td>lwres_buffer_t * </td>
 <td>
 <var class="pdparam">b</var><code>)</code>;</td>
 </tr>
 </table>
 <table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
 <tr>
 <td><code class="funcdef">
 lwres_result_t
 <b class="fsfunc">lwres_gnbarequest_parse</b>(</code></td>
 <td>lwres_context_t * </td>
 <td>
 <var class="pdparam">ctx</var>, </td>
 </tr>
 <tr>
 <td> </td>
 <td>lwres_buffer_t * </td>
 <td>
 <var class="pdparam">b</var>, </td>
 </tr>
 <tr>
 <td> </td>
 <td>lwres_lwpacket_t * </td>
 <td>
 <var class="pdparam">pkt</var>, </td>
 </tr>
 <tr>
 <td> </td>
 <td>lwres_gnbarequest_t ** </td>
 <td>
 <var class="pdparam">structp</var><code>)</code>;</td>
 </tr>
 </table>
 <table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
 <tr>
 <td><code class="funcdef">
 lwres_result_t
 <b class="fsfunc">lwres_gnbaresponse_parse</b>(</code></td>
 <td>lwres_context_t * </td>
 <td>
 <var class="pdparam">ctx</var>, </td>
 </tr>
 <tr>
 <td> </td>
 <td>lwres_buffer_t * </td>
 <td>
 <var class="pdparam">b</var>, </td>
 </tr>
 <tr>
 <td> </td>
 <td>lwres_lwpacket_t * </td>
 <td>
 <var class="pdparam">pkt</var>, </td>
 </tr>
 <tr>
 <td> </td>
 <td>lwres_gnbaresponse_t ** </td>
 <td>
 <var class="pdparam">structp</var><code>)</code>;</td>
 </tr>
 </table>
 <table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
 <tr>
 <td><code class="funcdef">
 void
 <b class="fsfunc">lwres_gnbaresponse_free</b>
 (</code></td>
 <td>lwres_context_t * </td>
 <td>
 <var class="pdparam">ctx</var>, </td>
 </tr>
 <tr>
 <td> </td>
 <td>lwres_gnbaresponse_t ** </td>
 <td>
 <var class="pdparam">structp</var><code>)</code>;</td>
 </tr>
 </table>
 <table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0">
 <tr>
 <td><code class="funcdef">
 void
 <b class="fsfunc">lwres_gnbarequest_free</b>(</code></td>
 <td>lwres_context_t * </td>
 <td>
 <var class="pdparam">ctx</var>, </td>
 </tr>
 <tr>
 <td> </td>
 <td>lwres_gnbarequest_t ** </td>
 <td>
 <var class="pdparam">structp</var><code>)</code>;</td>
 </tr>
 </table>
 </div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543537"></a><h2>DESCRIPTION</h2>
+<a name="id2543534"></a><h2>DESCRIPTION</h2>
 <p>
       These are low-level routines for creating and parsing
       lightweight resolver address-to-name lookup request and
       response messages.
     </p>
 <p>
       There are four main functions for the getnamebyaddr opcode.
       One render function converts a getnamebyaddr request structure &#8212;
       <span class="type">lwres_gnbarequest_t</span> &#8212;
       to the lightweight resolver's canonical format.
       It is complemented by a parse function that converts a packet in this
       canonical format to a getnamebyaddr request structure.
       Another render function converts the getnamebyaddr response structure
       &#8212;
       <span class="type">lwres_gnbaresponse_t</span>
       to the canonical format.
       This is complemented by a parse function which converts a packet in
       canonical format to a getnamebyaddr response structure.
     </p>
 <p>
       These structures are defined in
       <code class="filename">lwres/lwres.h</code>.
       They are shown below.
     </p>
 <pre class="programlisting">
 #define LWRES_OPCODE_GETNAMEBYADDR      0x00010002U
 </pre>
 <p>
     </p>
 <pre class="programlisting">
 typedef struct {
         lwres_uint32_t  flags;
         lwres_addr_t    addr;
 } lwres_gnbarequest_t;
 </pre>
 <p>
     </p>
 <pre class="programlisting">
 typedef struct {
         lwres_uint32_t  flags;
         lwres_uint16_t  naliases;
         char           *realname;
         char          **aliases;
         lwres_uint16_t  realnamelen;
         lwres_uint16_t *aliaslen;
         void           *base;
         size_t          baselen;
 } lwres_gnbaresponse_t;
 </pre>
 <p>
     </p>
 <p><code class="function">lwres_gnbarequest_render()</code>
       uses resolver context <code class="varname">ctx</code> to convert
       getnamebyaddr request structure <code class="varname">req</code> to
       canonical format.  The packet header structure
       <code class="varname">pkt</code> is initialised and transferred to buffer
       <code class="varname">b</code>.  The contents of <code class="varname">*req</code>
       are then appended to the buffer in canonical format.
       <code class="function">lwres_gnbaresponse_render()</code> performs the
       same task, except it converts a getnamebyaddr response structure
       <span class="type">lwres_gnbaresponse_t</span> to the lightweight resolver's
       canonical format.
     </p>
 <p><code class="function">lwres_gnbarequest_parse()</code>
       uses context <code class="varname">ctx</code> to convert the contents of
       packet <code class="varname">pkt</code> to a
       <span class="type">lwres_gnbarequest_t</span> structure.  Buffer
       <code class="varname">b</code> provides space to be used for storing this
       structure.  When the function succeeds, the resulting
       <span class="type">lwres_gnbarequest_t</span> is made available through
       <code class="varname">*structp</code>.
       <code class="function">lwres_gnbaresponse_parse()</code> offers the same
       semantics as <code class="function">lwres_gnbarequest_parse()</code>
       except it yields a <span class="type">lwres_gnbaresponse_t</span> structure.
     </p>
 <p><code class="function">lwres_gnbaresponse_free()</code>
       and <code class="function">lwres_gnbarequest_free()</code> release the
       memory in resolver context <code class="varname">ctx</code> that was
       allocated to the <span class="type">lwres_gnbaresponse_t</span> or
       <span class="type">lwres_gnbarequest_t</span> structures referenced via
       <code class="varname">structp</code>.  Any memory associated with
       ancillary buffers and strings for those structures is also
       discarded.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543676"></a><h2>RETURN VALUES</h2>
+<a name="id2543674"></a><h2>RETURN VALUES</h2>
 <p>
       The getnamebyaddr opcode functions
       <code class="function">lwres_gnbarequest_render()</code>,
       <code class="function">lwres_gnbaresponse_render()</code>
       <code class="function">lwres_gnbarequest_parse()</code>
       and
       <code class="function">lwres_gnbaresponse_parse()</code>
       all return
       <span class="errorcode">LWRES_R_SUCCESS</span>
       on success.
       They return
       <span class="errorcode">LWRES_R_NOMEMORY</span>
       if memory allocation fails.
       <span class="errorcode">LWRES_R_UNEXPECTEDEND</span>
       is returned if the available space in the buffer
       <code class="varname">b</code>
       is too small to accommodate the packet header or the
       <span class="type">lwres_gnbarequest_t</span>
       and
       <span class="type">lwres_gnbaresponse_t</span>
       structures.
       <code class="function">lwres_gnbarequest_parse()</code>
       and
       <code class="function">lwres_gnbaresponse_parse()</code>
       will return
       <span class="errorcode">LWRES_R_UNEXPECTEDEND</span>
       if the buffer is not empty after decoding the received packet.
       These functions will return
       <span class="errorcode">LWRES_R_FAILURE</span>
       if
       <em class="structfield"><code>pktflags</code></em>
       in the packet header structure
       <span class="type">lwres_lwpacket_t</span>
       indicate that the packet is not a response to an earlier query.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543742"></a><h2>SEE ALSO</h2>
+<a name="id2543740"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">lwres_packet</span>(3)</span>.
     </p>
 </div>
 </div></body>
 </html>
Index: stable/9/contrib/bind9/lib/lwres/man/lwres_hstrerror.html
===================================================================
--- stable/9/contrib/bind9/lib/lwres/man/lwres_hstrerror.html	(revision 286123)
+++ stable/9/contrib/bind9/lib/lwres/man/lwres_hstrerror.html	(revision 286124)
@@ -1,104 +1,104 @@
 <!--
  - Copyright (C) 2004, 2005, 2007, 2014 Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000, 2001 Internet Software Consortium.
  - 
  - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
  - copyright notice and this permission notice appear in all copies.
  - 
  - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
  - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
  - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
  - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
  - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 <!-- $Id$ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>lwres_hstrerror</title>
 <meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2476282"></a><div class="titlepage"></div>
+<a name="id2476275"></a><div class="titlepage"></div>
 <div class="refnamediv">
 <h2>Name</h2>
 <p>lwres_herror, lwres_hstrerror &#8212; lightweight resolver error message generation</p>
 </div>
 <div class="refsynopsisdiv">
 <h2>Synopsis</h2>
 <div class="funcsynopsis">
 <pre class="funcsynopsisinfo">#include &lt;lwres/netdb.h&gt;</pre>
 <table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em"><tr>
 <td><code class="funcdef">
 void
 <b class="fsfunc">lwres_herror</b>(</code></td>
 <td>const char * </td>
 <td>
 <var class="pdparam">s</var><code>)</code>;</td>
 </tr></table>
 <table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0"><tr>
 <td><code class="funcdef">
 const char *
 <b class="fsfunc">lwres_hstrerror</b>(</code></td>
 <td>int  </td>
 <td>
 <var class="pdparam">err</var><code>)</code>;</td>
 </tr></table>
 </div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543390"></a><h2>DESCRIPTION</h2>
+<a name="id2543388"></a><h2>DESCRIPTION</h2>
 <p><code class="function">lwres_herror()</code>
       prints the string <em class="parameter"><code>s</code></em> on
       <span class="type">stderr</span> followed by the string generated by
       <code class="function">lwres_hstrerror()</code> for the error code stored
       in the global variable <code class="constant">lwres_h_errno</code>.
     </p>
 <p><code class="function">lwres_hstrerror()</code>
       returns an appropriate string for the error code gievn by
       <em class="parameter"><code>err</code></em>.  The values of the error codes and
       messages are as follows:
 
       </p>
 <div class="variablelist"><dl>
 <dt><span class="term"><span class="errorcode">NETDB_SUCCESS</span></span></dt>
 <dd><p><span class="errorname">Resolver Error 0 (no error)</span>
             </p></dd>
 <dt><span class="term"><span class="errorcode">HOST_NOT_FOUND</span></span></dt>
 <dd><p><span class="errorname">Unknown host</span>
             </p></dd>
 <dt><span class="term"><span class="errorcode">TRY_AGAIN</span></span></dt>
 <dd><p><span class="errorname">Host name lookup failure</span>
             </p></dd>
 <dt><span class="term"><span class="errorcode">NO_RECOVERY</span></span></dt>
 <dd><p><span class="errorname">Unknown server error</span>
             </p></dd>
 <dt><span class="term"><span class="errorcode">NO_DATA</span></span></dt>
 <dd><p><span class="errorname">No address associated with name</span>
             </p></dd>
 </dl></div>
 <p>
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543509"></a><h2>RETURN VALUES</h2>
+<a name="id2543507"></a><h2>RETURN VALUES</h2>
 <p>
       The string <span class="errorname">Unknown resolver error</span> is returned by
       <code class="function">lwres_hstrerror()</code>
       when the value of
       <code class="constant">lwres_h_errno</code>
       is not a valid error code.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543529"></a><h2>SEE ALSO</h2>
+<a name="id2543527"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">herror</span>(3)</span>,
 
       <span class="citerefentry"><span class="refentrytitle">lwres_hstrerror</span>(3)</span>.
     </p>
 </div>
 </div></body>
 </html>
Index: stable/9/contrib/bind9/lib/lwres/man/lwres_inetntop.html
===================================================================
--- stable/9/contrib/bind9/lib/lwres/man/lwres_inetntop.html	(revision 286123)
+++ stable/9/contrib/bind9/lib/lwres/man/lwres_inetntop.html	(revision 286124)
@@ -1,103 +1,103 @@
 <!--
  - Copyright (C) 2004, 2005, 2007, 2014 Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000, 2001 Internet Software Consortium.
  - 
  - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
  - copyright notice and this permission notice appear in all copies.
  - 
  - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
  - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
  - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
  - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
  - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 <!-- $Id$ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>lwres_inetntop</title>
 <meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2476282"></a><div class="titlepage"></div>
+<a name="id2476275"></a><div class="titlepage"></div>
 <div class="refnamediv">
 <h2>Name</h2>
 <p>lwres_net_ntop &#8212; lightweight resolver IP address presentation</p>
 </div>
 <div class="refsynopsisdiv">
 <h2>Synopsis</h2>
 <div class="funcsynopsis">
 <pre class="funcsynopsisinfo">#include &lt;lwres/net.h&gt;</pre>
 <table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0">
 <tr>
 <td><code class="funcdef">
 const char *
 <b class="fsfunc">lwres_net_ntop</b>(</code></td>
 <td>int  </td>
 <td>
 <var class="pdparam">af</var>, </td>
 </tr>
 <tr>
 <td> </td>
 <td>const void * </td>
 <td>
 <var class="pdparam">src</var>, </td>
 </tr>
 <tr>
 <td> </td>
 <td>char * </td>
 <td>
 <var class="pdparam">dst</var>, </td>
 </tr>
 <tr>
 <td> </td>
 <td>size_t  </td>
 <td>
 <var class="pdparam">size</var><code>)</code>;</td>
 </tr>
 </table>
 </div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543390"></a><h2>DESCRIPTION</h2>
+<a name="id2543388"></a><h2>DESCRIPTION</h2>
 <p><code class="function">lwres_net_ntop()</code>
       converts an IP address of protocol family
       <em class="parameter"><code>af</code></em> &#8212; IPv4 or IPv6 &#8212; at
       location <em class="parameter"><code>src</code></em> from network format to its
       conventional representation as a string.  For IPv4 addresses,
       that string would be a dotted-decimal.  An IPv6 address would be
       represented in colon notation as described in RFC1884.
     </p>
 <p>
       The generated string is copied to <em class="parameter"><code>dst</code></em>
       provided
       <em class="parameter"><code>size</code></em> indicates it is long enough to
       store the
       ASCII representation of the address.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543422"></a><h2>RETURN VALUES</h2>
+<a name="id2543420"></a><h2>RETURN VALUES</h2>
 <p>
       If successful, the function returns <em class="parameter"><code>dst</code></em>:
       a pointer to a string containing the presentation format of the
       address.  <code class="function">lwres_net_ntop()</code> returns
       <span class="type">NULL</span> and sets the global variable
       <code class="constant">errno</code> to <span class="errorcode">EAFNOSUPPORT</span> if
       the protocol family given in <em class="parameter"><code>af</code></em> is
       not
       supported.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543456"></a><h2>SEE ALSO</h2>
+<a name="id2543453"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">RFC1884</span></span>,
       <span class="citerefentry"><span class="refentrytitle">inet_ntop</span>(3)</span>,
       <span class="citerefentry"><span class="refentrytitle">errno</span>(3)</span>.
     </p>
 </div>
 </div></body>
 </html>
Index: stable/9/contrib/bind9/lib/lwres/man/lwres_noop.html
===================================================================
--- stable/9/contrib/bind9/lib/lwres/man/lwres_noop.html	(revision 286123)
+++ stable/9/contrib/bind9/lib/lwres/man/lwres_noop.html	(revision 286124)
@@ -1,317 +1,317 @@
 <!--
  - Copyright (C) 2004, 2005, 2007, 2014 Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000, 2001 Internet Software Consortium.
  - 
  - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
  - copyright notice and this permission notice appear in all copies.
  - 
  - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
  - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
  - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
  - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
  - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 <!-- $Id$ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>lwres_noop</title>
 <meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2476282"></a><div class="titlepage"></div>
+<a name="id2476275"></a><div class="titlepage"></div>
 <div class="refnamediv">
 <h2>Name</h2>
 <p>lwres_nooprequest_render, lwres_noopresponse_render, lwres_nooprequest_parse, lwres_noopresponse_parse, lwres_noopresponse_free, lwres_nooprequest_free &#8212; lightweight resolver no-op message handling</p>
 </div>
 <div class="refsynopsisdiv">
 <h2>Synopsis</h2>
 <div class="funcsynopsis">
 <pre class="funcsynopsisinfo">
 #include &lt;lwres/lwres.h&gt;</pre>
 <table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
 <tr>
 <td><code class="funcdef">
 lwres_result_t
 <b class="fsfunc">lwres_nooprequest_render</b>(</code></td>
 <td>lwres_context_t * </td>
 <td>
 <var class="pdparam">ctx</var>, </td>
 </tr>
 <tr>
 <td> </td>
 <td>lwres_nooprequest_t * </td>
 <td>
 <var class="pdparam">req</var>, </td>
 </tr>
 <tr>
 <td> </td>
 <td>lwres_lwpacket_t * </td>
 <td>
 <var class="pdparam">pkt</var>, </td>
 </tr>
 <tr>
 <td> </td>
 <td>lwres_buffer_t * </td>
 <td>
 <var class="pdparam">b</var><code>)</code>;</td>
 </tr>
 </table>
 <table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
 <tr>
 <td><code class="funcdef">
 lwres_result_t
 <b class="fsfunc">lwres_noopresponse_render</b>(</code></td>
 <td>lwres_context_t * </td>
 <td>
 <var class="pdparam">ctx</var>, </td>
 </tr>
 <tr>
 <td> </td>
 <td>lwres_noopresponse_t * </td>
 <td>
 <var class="pdparam">req</var>, </td>
 </tr>
 <tr>
 <td> </td>
 <td>lwres_lwpacket_t * </td>
 <td>
 <var class="pdparam">pkt</var>, </td>
 </tr>
 <tr>
 <td> </td>
 <td>lwres_buffer_t * </td>
 <td>
 <var class="pdparam">b</var><code>)</code>;</td>
 </tr>
 </table>
 <table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
 <tr>
 <td><code class="funcdef">
 lwres_result_t
 <b class="fsfunc">lwres_nooprequest_parse</b>(</code></td>
 <td>lwres_context_t * </td>
 <td>
 <var class="pdparam">ctx</var>, </td>
 </tr>
 <tr>
 <td> </td>
 <td>lwres_buffer_t * </td>
 <td>
 <var class="pdparam">b</var>, </td>
 </tr>
 <tr>
 <td> </td>
 <td>lwres_lwpacket_t * </td>
 <td>
 <var class="pdparam">pkt</var>, </td>
 </tr>
 <tr>
 <td> </td>
 <td>lwres_nooprequest_t ** </td>
 <td>
 <var class="pdparam">structp</var><code>)</code>;</td>
 </tr>
 </table>
 <table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
 <tr>
 <td><code class="funcdef">
 lwres_result_t
 <b class="fsfunc">lwres_noopresponse_parse</b>(</code></td>
 <td>lwres_context_t * </td>
 <td>
 <var class="pdparam">ctx</var>, </td>
 </tr>
 <tr>
 <td> </td>
 <td>lwres_buffer_t * </td>
 <td>
 <var class="pdparam">b</var>, </td>
 </tr>
 <tr>
 <td> </td>
 <td>lwres_lwpacket_t * </td>
 <td>
 <var class="pdparam">pkt</var>, </td>
 </tr>
 <tr>
 <td> </td>
 <td>lwres_noopresponse_t ** </td>
 <td>
 <var class="pdparam">structp</var><code>)</code>;</td>
 </tr>
 </table>
 <table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
 <tr>
 <td><code class="funcdef">
 void
 <b class="fsfunc">lwres_noopresponse_free</b>(</code></td>
 <td>lwres_context_t * </td>
 <td>
 <var class="pdparam">ctx</var>, </td>
 </tr>
 <tr>
 <td> </td>
 <td>lwres_noopresponse_t ** </td>
 <td>
 <var class="pdparam">structp</var><code>)</code>;</td>
 </tr>
 </table>
 <table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0">
 <tr>
 <td><code class="funcdef">
 void
 <b class="fsfunc">lwres_nooprequest_free</b>(</code></td>
 <td>lwres_context_t * </td>
 <td>
 <var class="pdparam">ctx</var>, </td>
 </tr>
 <tr>
 <td> </td>
 <td>lwres_nooprequest_t ** </td>
 <td>
 <var class="pdparam">structp</var><code>)</code>;</td>
 </tr>
 </table>
 </div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543533"></a><h2>DESCRIPTION</h2>
+<a name="id2543531"></a><h2>DESCRIPTION</h2>
 <p>
       These are low-level routines for creating and parsing
       lightweight resolver no-op request and response messages.
     </p>
 <p>
       The no-op message is analogous to a <span><strong class="command">ping</strong></span>
       packet:
       a packet is sent to the resolver daemon and is simply echoed back.
       The opcode is intended to allow a client to determine if the server is
       operational or not.
     </p>
 <p>
       There are four main functions for the no-op opcode.
       One render function converts a no-op request structure &#8212;
       <span class="type">lwres_nooprequest_t</span> &#8212;
       to the lightweight resolver's canonical format.
       It is complemented by a parse function that converts a packet in this
       canonical format to a no-op request structure.
       Another render function converts the no-op response structure &#8212;
       <span class="type">lwres_noopresponse_t</span>
       to the canonical format.
       This is complemented by a parse function which converts a packet in
       canonical format to a no-op response structure.
     </p>
 <p>
       These structures are defined in
       <code class="filename">lwres/lwres.h</code>.
 
       They are shown below.
     </p>
 <pre class="programlisting">
 #define LWRES_OPCODE_NOOP       0x00000000U
 </pre>
 <p>
     </p>
 <pre class="programlisting">
 typedef struct {
         lwres_uint16_t  datalength;
         unsigned char   *data;
 } lwres_nooprequest_t;
 </pre>
 <p>
     </p>
 <pre class="programlisting">
 typedef struct {
         lwres_uint16_t  datalength;
         unsigned char   *data;
 } lwres_noopresponse_t;
 </pre>
 <p>
     </p>
 <p>
       Although the structures have different types, they are identical.
       This is because the no-op opcode simply echos whatever data was sent:
       the response is therefore identical to the request.
     </p>
 <p><code class="function">lwres_nooprequest_render()</code>
       uses resolver context <em class="parameter"><code>ctx</code></em> to convert
       no-op request structure <em class="parameter"><code>req</code></em> to canonical
       format.  The packet header structure <em class="parameter"><code>pkt</code></em>
       is initialised and transferred to buffer
       <em class="parameter"><code>b</code></em>.  The contents of
       <em class="parameter"><code>*req</code></em> are then appended to the buffer in
       canonical format.
       <code class="function">lwres_noopresponse_render()</code> performs the
       same task, except it converts a no-op response structure
       <span class="type">lwres_noopresponse_t</span> to the lightweight resolver's
       canonical format.
     </p>
 <p><code class="function">lwres_nooprequest_parse()</code>
       uses context <em class="parameter"><code>ctx</code></em> to convert the contents
       of packet <em class="parameter"><code>pkt</code></em> to a
       <span class="type">lwres_nooprequest_t</span> structure.  Buffer
       <em class="parameter"><code>b</code></em> provides space to be used for storing
       this structure.  When the function succeeds, the resulting
       <span class="type">lwres_nooprequest_t</span> is made available through
       <em class="parameter"><code>*structp</code></em>.
       <code class="function">lwres_noopresponse_parse()</code> offers the same
       semantics as <code class="function">lwres_nooprequest_parse()</code>
       except it yields a <span class="type">lwres_noopresponse_t</span> structure.
     </p>
 <p><code class="function">lwres_noopresponse_free()</code>
       and <code class="function">lwres_nooprequest_free()</code> release the
       memory in resolver context <em class="parameter"><code>ctx</code></em> that was
       allocated to the <span class="type">lwres_noopresponse_t</span> or
       <span class="type">lwres_nooprequest_t</span> structures referenced via
       <em class="parameter"><code>structp</code></em>.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543684"></a><h2>RETURN VALUES</h2>
+<a name="id2543682"></a><h2>RETURN VALUES</h2>
 <p>
       The no-op opcode functions
       <code class="function">lwres_nooprequest_render()</code>,
 
       <code class="function">lwres_noopresponse_render()</code>
       <code class="function">lwres_nooprequest_parse()</code>
       and
       <code class="function">lwres_noopresponse_parse()</code>
       all return
       <span class="errorcode">LWRES_R_SUCCESS</span>
       on success.
       They return
       <span class="errorcode">LWRES_R_NOMEMORY</span>
       if memory allocation fails.
       <span class="errorcode">LWRES_R_UNEXPECTEDEND</span>
       is returned if the available space in the buffer
       <em class="parameter"><code>b</code></em>
       is too small to accommodate the packet header or the
       <span class="type">lwres_nooprequest_t</span>
       and
       <span class="type">lwres_noopresponse_t</span>
       structures.
       <code class="function">lwres_nooprequest_parse()</code>
       and
       <code class="function">lwres_noopresponse_parse()</code>
       will return
       <span class="errorcode">LWRES_R_UNEXPECTEDEND</span>
       if the buffer is not empty after decoding the received packet.
       These functions will return
       <span class="errorcode">LWRES_R_FAILURE</span>
       if
       <code class="constant">pktflags</code>
       in the packet header structure
       <span class="type">lwres_lwpacket_t</span>
       indicate that the packet is not a response to an earlier query.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543750"></a><h2>SEE ALSO</h2>
+<a name="id2543748"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">lwres_packet</span>(3)</span>
     </p>
 </div>
 </div></body>
 </html>
Index: stable/9/contrib/bind9/lib/lwres/man/lwres_packet.html
===================================================================
--- stable/9/contrib/bind9/lib/lwres/man/lwres_packet.html	(revision 286123)
+++ stable/9/contrib/bind9/lib/lwres/man/lwres_packet.html	(revision 286124)
@@ -1,235 +1,235 @@
 <!--
  - Copyright (C) 2004, 2005, 2007, 2014 Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000, 2001 Internet Software Consortium.
  - 
  - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
  - copyright notice and this permission notice appear in all copies.
  - 
  - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
  - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
  - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
  - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
  - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 <!-- $Id$ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>lwres_packet</title>
 <meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2476282"></a><div class="titlepage"></div>
+<a name="id2476275"></a><div class="titlepage"></div>
 <div class="refnamediv">
 <h2>Name</h2>
 <p>lwres_lwpacket_renderheader, lwres_lwpacket_parseheader &#8212; lightweight resolver packet handling functions</p>
 </div>
 <div class="refsynopsisdiv">
 <h2>Synopsis</h2>
 <div class="funcsynopsis">
 <pre class="funcsynopsisinfo">#include &lt;lwres/lwpacket.h&gt;</pre>
 <table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
 <tr>
 <td><code class="funcdef">
 lwres_result_t
 <b class="fsfunc">lwres_lwpacket_renderheader</b>(</code></td>
 <td>lwres_buffer_t * </td>
 <td>
 <var class="pdparam">b</var>, </td>
 </tr>
 <tr>
 <td> </td>
 <td>lwres_lwpacket_t * </td>
 <td>
 <var class="pdparam">pkt</var><code>)</code>;</td>
 </tr>
 </table>
 <table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0">
 <tr>
 <td><code class="funcdef">
 lwres_result_t
 <b class="fsfunc">lwres_lwpacket_parseheader</b>(</code></td>
 <td>lwres_buffer_t * </td>
 <td>
 <var class="pdparam">b</var>, </td>
 </tr>
 <tr>
 <td> </td>
 <td>lwres_lwpacket_t * </td>
 <td>
 <var class="pdparam">pkt</var><code>)</code>;</td>
 </tr>
 </table>
 </div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543401"></a><h2>DESCRIPTION</h2>
+<a name="id2543399"></a><h2>DESCRIPTION</h2>
 <p>
       These functions rely on a
       <span class="type">struct lwres_lwpacket</span>
       which is defined in
       <code class="filename">lwres/lwpacket.h</code>.
     </p>
 <pre class="programlisting">
 typedef struct lwres_lwpacket lwres_lwpacket_t;
       </pre>
 <p>
     </p>
 <pre class="programlisting">
 struct lwres_lwpacket {
         lwres_uint32_t          length;
         lwres_uint16_t          version;
         lwres_uint16_t          pktflags;
         lwres_uint32_t          serial;
         lwres_uint32_t          opcode;
         lwres_uint32_t          result;
         lwres_uint32_t          recvlength;
         lwres_uint16_t          authtype;
         lwres_uint16_t          authlength;
 };
 </pre>
 <p>
     </p>
 <p>
       The elements of this structure are:
       </p>
 <div class="variablelist"><dl>
 <dt><span class="term"><code class="constant">length</code></span></dt>
 <dd><p>
               the overall packet length, including the entire packet header.
               This field is filled in by the lwres_gabn_*() and lwres_gnba_*()
               calls.
             </p></dd>
 <dt><span class="term"><code class="constant">version</code></span></dt>
 <dd><p>
               the header format. There is currently only one format,
               <span class="type">LWRES_LWPACKETVERSION_0</span>.
 
               This field is filled in by the lwres_gabn_*() and lwres_gnba_*()
               calls.
             </p></dd>
 <dt><span class="term"><code class="constant">pktflags</code></span></dt>
 <dd><p>
               library-defined flags for this packet: for instance whether the
               packet
               is a request or a reply. Flag values can be set, but not defined
               by
               the caller.
               This field is filled in by the application wit the exception of
               the
               LWRES_LWPACKETFLAG_RESPONSE bit, which is set by the library in
               the
               lwres_gabn_*() and lwres_gnba_*() calls.
             </p></dd>
 <dt><span class="term"><code class="constant">serial</code></span></dt>
 <dd><p>
               is set by the requestor and is returned in all replies. If two
               or more
               packets from the same source have the same serial number and are
               from
               the same source, they are assumed to be duplicates and the
               latter ones
               may be dropped.
               This field must be set by the application.
             </p></dd>
 <dt><span class="term"><code class="constant">opcode</code></span></dt>
 <dd><p>
               indicates the operation.
               Opcodes between 0x00000000 and 0x03ffffff are
               reserved for use by the lightweight resolver library. Opcodes
               between
               0x04000000 and 0xffffffff are application defined.
               This field is filled in by the lwres_gabn_*() and lwres_gnba_*()
               calls.
             </p></dd>
 <dt><span class="term"><code class="constant">result</code></span></dt>
 <dd><p>
               is only valid for replies.
               Results between 0x04000000 and 0xffffffff are application
               defined.
               Results between 0x00000000 and 0x03ffffff are reserved for
               library use.
               This field is filled in by the lwres_gabn_*() and lwres_gnba_*()
               calls.
             </p></dd>
 <dt><span class="term"><code class="constant">recvlength</code></span></dt>
 <dd><p>
               is the maximum buffer size that the receiver can handle on
               requests
               and the size of the buffer needed to satisfy a request when the
               buffer
               is too large for replies.
               This field is supplied by the application.
             </p></dd>
 <dt><span class="term"><code class="constant">authtype</code></span></dt>
 <dd><p>
               defines the packet level authentication that is used.
               Authorisation types between 0x1000 and 0xffff are application
               defined
               and types between 0x0000 and 0x0fff are reserved for library
               use.
               Currently these are not used and must be zero.
             </p></dd>
 <dt><span class="term"><code class="constant">authlen</code></span></dt>
 <dd><p>
               gives the length of the authentication data.
               Since packet authentication is currently not used, this must be
               zero.
             </p></dd>
 </dl></div>
 <p>
     </p>
 <p>
       The following opcodes are currently defined:
       </p>
 <div class="variablelist"><dl>
 <dt><span class="term"><code class="constant">NOOP</code></span></dt>
 <dd><p>
               Success is always returned and the packet contents are echoed.
               The lwres_noop_*() functions should be used for this type.
             </p></dd>
 <dt><span class="term"><code class="constant">GETADDRSBYNAME</code></span></dt>
 <dd><p>
               returns all known addresses for a given name.
               The lwres_gabn_*() functions should be used for this type.
             </p></dd>
 <dt><span class="term"><code class="constant">GETNAMEBYADDR</code></span></dt>
 <dd><p>
               return the hostname for the given address.
               The lwres_gnba_*() functions should be used for this type.
             </p></dd>
 </dl></div>
 <p>
     </p>
 <p><code class="function">lwres_lwpacket_renderheader()</code>
       transfers the contents of lightweight resolver packet structure
       <span class="type">lwres_lwpacket_t</span> <em class="parameter"><code>*pkt</code></em> in
       network byte order to the lightweight resolver buffer,
       <em class="parameter"><code>*b</code></em>.
     </p>
 <p><code class="function">lwres_lwpacket_parseheader()</code>
       performs the converse operation.  It transfers data in network
       byte order from buffer <em class="parameter"><code>*b</code></em> to resolver
       packet <em class="parameter"><code>*pkt</code></em>.  The contents of the buffer
       <em class="parameter"><code>b</code></em> should correspond to a
       <span class="type">lwres_lwpacket_t</span>.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543718"></a><h2>RETURN VALUES</h2>
+<a name="id2543716"></a><h2>RETURN VALUES</h2>
 <p>
       Successful calls to
       <code class="function">lwres_lwpacket_renderheader()</code> and
       <code class="function">lwres_lwpacket_parseheader()</code> return
       <span class="errorcode">LWRES_R_SUCCESS</span>.  If there is insufficient
       space to copy data between the buffer <em class="parameter"><code>*b</code></em> and
       lightweight resolver packet <em class="parameter"><code>*pkt</code></em> both
       functions
       return <span class="errorcode">LWRES_R_UNEXPECTEDEND</span>.
     </p>
 </div>
 </div></body>
 </html>
Index: stable/9/contrib/bind9/lib/lwres/man/lwres_resutil.html
===================================================================
--- stable/9/contrib/bind9/lib/lwres/man/lwres_resutil.html	(revision 286123)
+++ stable/9/contrib/bind9/lib/lwres/man/lwres_resutil.html	(revision 286124)
@@ -1,258 +1,258 @@
 <!--
  - Copyright (C) 2004, 2005, 2007, 2014 Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000, 2001 Internet Software Consortium.
  - 
  - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
  - copyright notice and this permission notice appear in all copies.
  - 
  - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
  - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
  - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
  - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
  - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 <!-- $Id$ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>lwres_resutil</title>
 <meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2476282"></a><div class="titlepage"></div>
+<a name="id2476275"></a><div class="titlepage"></div>
 <div class="refnamediv">
 <h2>Name</h2>
 <p>lwres_string_parse, lwres_addr_parse, lwres_getaddrsbyname, lwres_getnamebyaddr &#8212; lightweight resolver utility functions</p>
 </div>
 <div class="refsynopsisdiv">
 <h2>Synopsis</h2>
 <div class="funcsynopsis">
 <pre class="funcsynopsisinfo">#include &lt;lwres/lwres.h&gt;</pre>
 <table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
 <tr>
 <td><code class="funcdef">
 lwres_result_t
 <b class="fsfunc">lwres_string_parse</b>(</code></td>
 <td>lwres_buffer_t * </td>
 <td>
 <var class="pdparam">b</var>, </td>
 </tr>
 <tr>
 <td> </td>
 <td>char ** </td>
 <td>
 <var class="pdparam">c</var>, </td>
 </tr>
 <tr>
 <td> </td>
 <td>lwres_uint16_t * </td>
 <td>
 <var class="pdparam">len</var><code>)</code>;</td>
 </tr>
 </table>
 <table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
 <tr>
 <td><code class="funcdef">
 lwres_result_t
 <b class="fsfunc">lwres_addr_parse</b>(</code></td>
 <td>lwres_buffer_t * </td>
 <td>
 <var class="pdparam">b</var>, </td>
 </tr>
 <tr>
 <td> </td>
 <td>lwres_addr_t * </td>
 <td>
 <var class="pdparam">addr</var><code>)</code>;</td>
 </tr>
 </table>
 <table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
 <tr>
 <td><code class="funcdef">
 lwres_result_t
 <b class="fsfunc">lwres_getaddrsbyname</b>(</code></td>
 <td>lwres_context_t * </td>
 <td>
 <var class="pdparam">ctx</var>, </td>
 </tr>
 <tr>
 <td> </td>
 <td>const char * </td>
 <td>
 <var class="pdparam">name</var>, </td>
 </tr>
 <tr>
 <td> </td>
 <td>lwres_uint32_t  </td>
 <td>
 <var class="pdparam">addrtypes</var>, </td>
 </tr>
 <tr>
 <td> </td>
 <td>lwres_gabnresponse_t ** </td>
 <td>
 <var class="pdparam">structp</var><code>)</code>;</td>
 </tr>
 </table>
 <table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0">
 <tr>
 <td><code class="funcdef">
 lwres_result_t
 <b class="fsfunc">lwres_getnamebyaddr</b>(</code></td>
 <td>lwres_context_t * </td>
 <td>
 <var class="pdparam">ctx</var>, </td>
 </tr>
 <tr>
 <td> </td>
 <td>lwres_uint32_t  </td>
 <td>
 <var class="pdparam">addrtype</var>, </td>
 </tr>
 <tr>
 <td> </td>
 <td>lwres_uint16_t  </td>
 <td>
 <var class="pdparam">addrlen</var>, </td>
 </tr>
 <tr>
 <td> </td>
 <td>const unsigned char * </td>
 <td>
 <var class="pdparam">addr</var>, </td>
 </tr>
 <tr>
 <td> </td>
 <td>lwres_gnbaresponse_t ** </td>
 <td>
 <var class="pdparam">structp</var><code>)</code>;</td>
 </tr>
 </table>
 </div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543478"></a><h2>DESCRIPTION</h2>
+<a name="id2543476"></a><h2>DESCRIPTION</h2>
 <p><code class="function">lwres_string_parse()</code>
       retrieves a DNS-encoded string starting the current pointer of
       lightweight resolver buffer <em class="parameter"><code>b</code></em>: i.e.
       <code class="constant">b-&gt;current</code>.  When the function returns,
       the address of the first byte of the encoded string is returned
       via <em class="parameter"><code>*c</code></em> and the length of that string is
       given by <em class="parameter"><code>*len</code></em>.  The buffer's current
       pointer is advanced to point at the character following the
       string length, the encoded string, and the trailing
       <span class="type">NULL</span> character.
     </p>
 <p><code class="function">lwres_addr_parse()</code>
       extracts an address from the buffer <em class="parameter"><code>b</code></em>.
       The buffer's current pointer <code class="constant">b-&gt;current</code>
       is presumed to point at an encoded address: the address preceded
       by a 32-bit protocol family identifier and a 16-bit length
       field.  The encoded address is copied to
       <code class="constant">addr-&gt;address</code> and
       <code class="constant">addr-&gt;length</code> indicates the size in bytes
       of the address that was copied.
       <code class="constant">b-&gt;current</code> is advanced to point at the
       next byte of available data in the buffer following the encoded
       address.
     </p>
 <p><code class="function">lwres_getaddrsbyname()</code>
       and <code class="function">lwres_getnamebyaddr()</code> use the
       <span class="type">lwres_gnbaresponse_t</span> structure defined below:
     </p>
 <pre class="programlisting">
 typedef struct {
         lwres_uint32_t          flags;
         lwres_uint16_t          naliases;
         lwres_uint16_t          naddrs;
         char                   *realname;
         char                  **aliases;
         lwres_uint16_t          realnamelen;
         lwres_uint16_t         *aliaslen;
         lwres_addrlist_t        addrs;
         void                   *base;
         size_t                  baselen;
 } lwres_gabnresponse_t;
 </pre>
 <p>
       The contents of this structure are not manipulated directly but
       they are controlled through the
       <span class="citerefentry"><span class="refentrytitle">lwres_gabn</span>(3)</span>
       functions.
     </p>
 <p>
       The lightweight resolver uses
       <code class="function">lwres_getaddrsbyname()</code> to perform
       forward lookups.
       Hostname <em class="parameter"><code>name</code></em> is looked up using the
       resolver
       context <em class="parameter"><code>ctx</code></em> for memory allocation.
       <em class="parameter"><code>addrtypes</code></em> is a bitmask indicating
       which type of
       addresses are to be looked up.  Current values for this bitmask are
       <span class="type">LWRES_ADDRTYPE_V4</span> for IPv4 addresses and
       <span class="type">LWRES_ADDRTYPE_V6</span> for IPv6 addresses.  Results of the
       lookup are returned in <em class="parameter"><code>*structp</code></em>.
     </p>
 <p><code class="function">lwres_getnamebyaddr()</code>
       performs reverse lookups.  Resolver context
       <em class="parameter"><code>ctx</code></em> is used for memory allocation.  The
       address type is indicated by <em class="parameter"><code>addrtype</code></em>:
       <span class="type">LWRES_ADDRTYPE_V4</span> or
       <span class="type">LWRES_ADDRTYPE_V6</span>.  The address to be looked up is
       given by <em class="parameter"><code>addr</code></em> and its length is
       <em class="parameter"><code>addrlen</code></em> bytes.  The result of the
       function call is made available through
       <em class="parameter"><code>*structp</code></em>.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543617"></a><h2>RETURN VALUES</h2>
+<a name="id2543614"></a><h2>RETURN VALUES</h2>
 <p>
       Successful calls to
       <code class="function">lwres_string_parse()</code>
       and
       <code class="function">lwres_addr_parse()</code>
       return
       <span class="errorcode">LWRES_R_SUCCESS.</span>
       Both functions return
       <span class="errorcode">LWRES_R_FAILURE</span>
       if the buffer is corrupt or
       <span class="errorcode">LWRES_R_UNEXPECTEDEND</span>
       if the buffer has less space than expected for the components of the
       encoded string or address.
     </p>
 <p><code class="function">lwres_getaddrsbyname()</code>
       returns <span class="errorcode">LWRES_R_SUCCESS</span> on success and it
       returns <span class="errorcode">LWRES_R_NOTFOUND</span> if the hostname
       <em class="parameter"><code>name</code></em> could not be found.
     </p>
 <p><span class="errorcode">LWRES_R_SUCCESS</span>
       is returned by a successful call to
       <code class="function">lwres_getnamebyaddr()</code>.
     </p>
 <p>
       Both
       <code class="function">lwres_getaddrsbyname()</code>
       and
       <code class="function">lwres_getnamebyaddr()</code>
       return
       <span class="errorcode">LWRES_R_NOMEMORY</span>
       when memory allocation requests fail and
       <span class="errorcode">LWRES_R_UNEXPECTEDEND</span>
       if the buffers used for sending queries and receiving replies are too
       small.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543688"></a><h2>SEE ALSO</h2>
+<a name="id2543686"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">lwres_buffer</span>(3)</span>,
 
       <span class="citerefentry"><span class="refentrytitle">lwres_gabn</span>(3)</span>.
     </p>
 </div>
 </div></body>
 </html>
Index: stable/9/contrib/bind9/version
===================================================================
--- stable/9/contrib/bind9/version	(revision 286123)
+++ stable/9/contrib/bind9/version	(revision 286124)
@@ -1,11 +1,11 @@
 # This file must follow /bin/sh rules.  It is imported directly via
 # configure.
 #
 PRODUCT=BIND
 DESCRIPTION="(Extended Support Version)"
 MAJORVER=9
 MINORVER=9
 PATCHVER=7
-RELEASETYPE=
-RELEASEVER=
+RELEASETYPE=-P
+RELEASEVER=2
 EXTENSIONS=
Index: stable/9/contrib/bind9
===================================================================
--- stable/9/contrib/bind9	(revision 286123)
+++ stable/9/contrib/bind9	(revision 286124)

Property changes on: stable/9/contrib/bind9
___________________________________________________________________
Modified: svn:mergeinfo
## -0,0 +0,1 ##
   Merged /vendor/bind9/dist:r286108